Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?

bmanning at karoshi.com bmanning at karoshi.com
Tue Sep 16 18:27:08 UTC 2003


> > 	thats one aspect yes.  the valdiation chain should tell
> > 	you who signed the delegations.  It won't lie.
> > 	you will know that V'sign put that data there.
> 
> How frikking many hacks will we need to BIND9 to work around this braindamage?
> One to stuff back in the NXDomain if the A record points there, another to
> do something with make-believe DNSsec from them..... What's next?

	'splain "braindamage" in this context please.
	DNSSEC - signed data in the zone.
	wildcards - part of the spec.

	if vt.edu wants to place a:   

		* in a 198.82.247.53
	
	in the vt.edu zone, why should anyone complain that now vt.edu
	doesn't return NXDOMAIN for all un-delegated entries?  You want
	that everyone should hack the DNS to force NXDOMAINS for your
	wildcard?  Feh.

	DNSSEC will tell a validating resolver the signature of each
	party that signed part of the chain.  If Verisign wishes to 
	sign bits of data that might exist under the delegation point
	they have responsibility for, I'm in favor. Its not "make-believe"
	... or perhaps I don't understand your angst.



More information about the NANOG mailing list