To:
Bill Manning <bmanning@isi.edu>
Cc:
jas@extundo.com, jseng@pobox.org.sg, keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
09 Apr 2002 23:58:15 -0400
In-Reply-To:
<200204091802.g39I2q814973@boreas.isi.edu>
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Subject:
Re: Let's assume DNS is involved
Bill Manning <bmanning@ISI.EDU> writes:
> Are you stating that there can exist a key/cert RRset that
> is independent or (not bound to) a larger RRset that would
> also include either an A or PTR rr?
I was certainly under the impression that a resolver could make
a request for an 'A' record independent of a 'CERT' record, so...
> I always thought that an rrset would consist of:
>
> woozle in a 300.0.0.300
> cert "x509 thingie"
> sig "sig thingie"
>
> and that
>
> woozle in cert "x509 thingie"
> sig "sig thingie"
>
> would not be correct. Time to check the code... :)
I believe that you are incorrect, and that the latter "response" is a
perfectly valid response, or a perfectly valid RRset at a node.
> If a sig/cert rrset can exist w/o an associated A/PTR
> rr, then I will agree w/ you. If not, then I think
> that caching servers will try and store all kinds of
> stuff that they may not "normally" expect.
I was always under the impression that this was the case.
> --bill
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available