In message <alpine.lfd.1.10.0907160212170.20...@newtla.xelerance.com>, Paul Wouter s writes: > On Thu, 16 Jul 2009, Mark Andrews wrote: > > >> How would this work? > > > > With portals that are only available to internal servers you are > > grafting on namespace and you configure your validator to know about > > it and potentially not validate that namespace. > > > > zone "portal.isp.com" { > > type forward; > > forward only; > > forwarders { ISP'r recursive servers; }; > > }; > > > > this is really no different to internal namespace. > > The problem is not resolving portal.isp.com. The problem is that > mail.xelerance.com "resolves" to portal.isp.com, but never makes > it because my validating stub resolver has a DNSSEC key loaded > for xelerance.com. A problem that in the future will become worse > when the majority of the domains (and the root) is signed. > > Paul
Well if xelerance.com is signed then internal (split dns) representations also need to be signed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop