To:
Bill Manning <bmanning@isi.edu>
Cc:
jas@extundo.com, jseng@pobox.org.sg, keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
09 Apr 2002 23:58:15 -0400
In-Reply-To:
<200204091802.g39I2q814973@boreas.isi.edu>
Sender:
owner-keydist@cafax.se
User-Agent:
Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Subject:
Re: Let's assume DNS is involved
Bill Manning <bmanning@ISI.EDU> writes: > Are you stating that there can exist a key/cert RRset that > is independent or (not bound to) a larger RRset that would > also include either an A or PTR rr? I was certainly under the impression that a resolver could make a request for an 'A' record independent of a 'CERT' record, so... > I always thought that an rrset would consist of: > > woozle in a 300.0.0.300 > cert "x509 thingie" > sig "sig thingie" > > and that > > woozle in cert "x509 thingie" > sig "sig thingie" > > would not be correct. Time to check the code... :) I believe that you are incorrect, and that the latter "response" is a perfectly valid response, or a perfectly valid RRset at a node. > If a sig/cert rrset can exist w/o an associated A/PTR > rr, then I will agree w/ you. If not, then I think > that caching servers will try and store all kinds of > stuff that they may not "normally" expect. I was always under the impression that this was the case. > --bill -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available