nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?

From: bmanning () karoshi com
Date: Tue, 16 Sep 2003 11:27:08 -0700 (PDT)


    thats one aspect yes.  the valdiation chain should tell
    you who signed the delegations.  It won't lie.
    you will know that V'sign put that data there.


How frikking many hacks will we need to BIND9 to work around this braindamage?
One to stuff back in the NXDomain if the A record points there, another to
do something with make-believe DNSsec from them..... What's next?


        'splain "braindamage" in this context please.
        DNSSEC - signed data in the zone.
        wildcards - part of the spec.

        if vt.edu wants to place a:   

                * in a 198.82.247.53
        
        in the vt.edu zone, why should anyone complain that now vt.edu
        doesn't return NXDOMAIN for all un-delegated entries?  You want
        that everyone should hack the DNS to force NXDOMAINS for your
        wildcard?  Feh.

        DNSSEC will tell a validating resolver the signature of each
        party that signed part of the chain.  If Verisign wishes to 
        sign bits of data that might exist under the delegation point
        they have responsibility for, I'm in favor. Its not "make-believe"
        ... or perhaps I don't understand your angst.
Previous By Date Next
Previous By Thread Next

Current thread: