Re: SIG over KEY at parent

[Edward Lewis <lewis@tislabs.com>]

What is a 'chaser?' ;)

I looked at this some to try to understand the problem.  You say that
213.53.69.1 is a secondary, do you mean to imply that 193.0.0.202 is a
primary?  (I tried to ask for the SOA of nlnetlabs.nl.nl - 193.0.0.202
returns a referral.)  Asking 193.0.0.202 for the A record of
open.nlnetlabs.nl (an ns of nlnetlabs.nl.nl) returns a REFUSED.

At 10:58 AM -0400 5/3/01, Stephan Jager wrote:
>Hi,
>
>I'm working on a chaser for DNSSEC in perl with the extensions Olaf
>made. As the chaser can be seen as a stupid resolver with no knowledge
>from the outside world, it has a problem getting a SIG over a KEY from a
>nameserver its master/secundairy. In stead of the SIG over the parents KEY
>I get a self-signed KEY, which is not usefull for chasing.
>
>For example try this:
>
>dig KEY +dnssec nlnetlabs.nl.nl @193.0.0.202
>dig KEY +dnssec nlnetlabs.nl.nl @213.53.69.1
>      (secundairy for nlnetlabs.nl.nl)
>
>The first one gives me the SIG with the nl.nl KEY, the 2nd one gives me
>the SIG with the nlnetlabs.nl.nl KEY. And yet there is no way for "me
>simple chaser" to get the nl.nl SIG when I have only have the wrong
>nameserver in the config.
>
>Yet another reason to not have the zone KEY from the zone in the child,
>but only at the parent.


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.