To:
dnssec@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Mon, 10 May 2004 12:31:39 -0400
In-Reply-To:
Message from Mike StJohns <Mike.StJohns@nominum.com> of "Mon, 10 May 2004 11:51:48 EDT." <6.0.1.1.2.20040510113833.03319150@localhost>
Sender:
owner-dnssec@cafax.se
Subject:
Re: dnssec: resolver - application communication
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Mike" == Mike StJohns <Mike.StJohns@nominum.com> writes:
Mike> etc). For a SASR (security aware stub resolver) to be able
Mike> to verify a piece of information, it needs the RRSet for that
Mike> information, the applicable RRSIG, and a chain of DNSKEY and
Mike> DS records back to some trust anchor. The recursive resolver
Mike> needs to be able to provide those along with the other parts
Mike> of the response. Note that because of a possible difference
Mike> in trust
What MST said.
And we need this information for successful replies too - we need to
put this information in our audit logs.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQJ+uaoqHRg3pndX9AQFSMgP9FV/GTOCNySDsG02Epb+Q66JIZsMQb65l
8Lb26Tf/WKPdK+Z7IRGIb7ttFPoYJZfNdLgRfHROIQzia9jdjrtj98BTnqRr3A8i
1SFXfBAAGnMvHk7UlmDAjCBuCnQCJfL/8veD3DJOrvfJVpTp+4sm8BXCPoS+nT0i
DZI8T+VnWUw=
=U8qj
-----END PGP SIGNATURE-----