To:
stephan@nlnetlabs.nl
Cc:
dnssec@cafax.se
From:
Havard Eidnes <he@runit.no>
Date:
Fri, 04 May 2001 14:28:12 +0200
In-Reply-To:
Your message of "Fri, 04 May 2001 14:07:11 +0200"<200105041207.OAA19635@catv8013.extern.kun.nl>
Sender:
owner-dnssec@cafax.se
Subject:
Re: SIG over KEY problem
> However, using a forwarder, which happens to be also > authoritive for nlnetlabs.nl.nl, I get: > - the KEY for nlnetlabs.nl.nl (this is OK) > - the SIG from the nlnetlabs.nl.nl-KEY over the > nlnetlabs.nl.nl-KEY (the self-sig, which is useless for > the resolver). This is the kind of trouble we get into when we wilfully and intentionally use the same name, class and record type but with significantly different data on the two different sides of a zone cut. That has always struck me as a particularly bad design decision, as it runs contrary to all the traditional rules for DNS consistency and for record lookup. I have probably raised my voice on this before, but I also probably didn't understand the justification for why this was not a problem. I don't suppose someone will indulge me by repeating the explanation? > The question I now have is whether I should change the resolver > to explicitely choose anther forwarding server (apart from making > it much more complicated, it prohibids its use behind a firewall), > or whether the forwarder should be changed, or the protocol? That just strikes me as an ugly kludge to work around what could possibly be argued to be a design defect (see above). Regards, - Håvard