-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I seem to be unable to find it in the specification that you need to validate the new NS set. So, I don't assume that NS RRset is validated, just updated.
I do know that the referral should be authenticated with the DS RRset, signed with the parent key. So, I assume that the following is possible: 1. If that DS is validated with a DNSKEY RR from the parent, and it matches the algorithm and key tag of a DNSKEY RR of the child, the referral is considered authenticated. 2. I can use the NS RRset *from the parent* to resend my query for <www.example.com IN A>. 3. From there, I get the new RRset signed with a key from the winning operator. Please show me the text from the specification that tells me that this is impossible. Best regards, Matthijs On 04/26/2011 04:14 PM, Paul Wouters wrote: > On Tue, 26 Apr 2011, Matthijs Mekking wrote: > >>> How is the NS set "updated" without validating that NS set using the >>> DNSKEY set and DS record of the winning operator? >> >> How do you know which DNSKEY is from the winning operator? >> >> There are two DS records at the parent (DS 11111, DS 22222) and the >> first one matches the cached DNSKEY RR. > > Again, how did YOU validate the new NSset if you don't have the right > DNSKEY? Please read the original text again. It assumes you somehow got > an updated *validated* NSset of the new operator, without having the > DNSKEY that validated that NSset. I keep telling you that is not possible. > > Paul -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNttkHAAoJEA8yVCPsQCW5YlgIAIKWTuT4eh1s5YdHjqnUGQOA QYg+qTYpfdxWhv7nH2Lr+Q7tOVgUu4s/U6TvMXls7/wIFP7br0yxL0YLrqoNz489 FBOlIByLq6s7q2J43yK0h2EXsLd8ex5XBP6/jKrHyK0WWWZ24m/t9eQFeBWxWKz0 LqY2fTP7OxAfiByjSKFRsUlnj13hxQX+sqJEFqUwtRP+l2EQFdehq2NFUaHczwYH XDU6z03abbJ00H8/bbHk8Oylt1X5w3ujjE5rsNMsV53G98E9uTFvykU+bjwULCLQ vmAzO2s3yT5CsQCdss7WNMDw5O0c4JAzQplqSHQv0WFBpsqBUPGzQy1Qv9zyORs= =YK1Z -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
