In message <alpine.lfd.1.10.0907160212170.20...@newtla.xelerance.com>, Paul
Wouter
s writes:
> On Thu, 16 Jul 2009, Mark Andrews wrote:
>
> >> How would this work?
> >
> > With portals that are only available to internal servers you are
> > grafting on namespace and you configure your validator to know about
> > it and potentially not validate that namespace.
> >
> > zone "portal.isp.com" {
> > type forward;
> > forward only;
> > forwarders { ISP'r recursive servers; };
> > };
> >
> > this is really no different to internal namespace.
>
> The problem is not resolving portal.isp.com. The problem is that
> mail.xelerance.com "resolves" to portal.isp.com, but never makes
> it because my validating stub resolver has a DNSSEC key loaded
> for xelerance.com. A problem that in the future will become worse
> when the majority of the domains (and the root) is signed.
>
> Paul
Well if xelerance.com is signed then internal (split dns)
representations also need to be signed.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
