DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>, dnssec@cafax.se
From: Mike StJohns <Mike.StJohns@nominum.com>
Date: Mon, 10 May 2004 16:37:15 -0400
In-Reply-To: <5974.1084216951@marajade.sandelman.ottawa.on.ca>
Sender: owner-dnssec@cafax.se
Subject: Re: dnssec: resolver - application communication


>  Consider the situation where the user calls up the IT department, and
>says "I was SSHing to foo.example, and it said 'bogus'".
>   How does this get resolved?

Typically by the IT department going and trying the query.   And working 
their way back up the tree until they figure out what's going on.  The IT 
department needs two bits of information to resolve this:  1) does this 
happen for other parts of the signed tree  (bar.example?) and 2) what was 
the name that failed.  The former error points to a resolver config problem 
at the client or caching server, the latter let's them work the problem.

And the actual error message would be something like - "Invalid or missing 
digital signature resolving 'foo.com', policy prohibits SSH connection."

Follow-Ups:
- Re: dnssec: resolver - application communication
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- dnssec: resolver - application communication
  - From: Miek Gieben <miekg@atoom.net>
- Re: dnssec: resolver - application communication
  - From: Derek Atkins <warlord@MIT.EDU>
- Re: dnssec: resolver - application communication
  - From: Mike StJohns <Mike.StJohns@nominum.com>
- Re: dnssec: resolver - application communication
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: dnssec: resolver - application communication
Next by Date: Re: dnssec: resolver - application communication
Prev by thread: Re: dnssec: resolver - application communication
Next by thread: Re: dnssec: resolver - application communication
Index(es):
- Date
- Thread

Home | Date list | Subject list