What is the expected behaviour given example.net CNAME kskroll-sentinel-is-ta-<key-tag>.example.com when you query for example.net when the key-tag does not match a root TA? etc.
> On 23 Mar 2018, at 11:22 pm, Warren Kumari <[email protected]> wrote: > > On Fri, Mar 23, 2018 at 10:28 AM, Mark Andrews <[email protected]> wrote: >> Also Section 3.1 is not specific enough to implement. QNAME needs a >> qualifier (current or original). >> >> The leftmost label of the QNAME is either "kskroll-sentinel-is-ta- >> <key-tag>" or "kskroll-sentinel-not-ta-<key-tag>" > > This was too terse for me to parse. > > The check is: Does the left most label in the query name match > "kskroll-sentinel-is-ta-<key-tag>" where <key-tag> is as unsigned > decimal integer (as described in [RFC4034], section 5.3), zero-padded > to five digits (for example, a Key Tag 42 would be represented in the > label as 00042). > > So, kskroll-sentinel-is-ta-19036.example.com would match, as would > kskroll-sentinel-is-ta-20326.example.com, as would > kskroll-sentinel-is-ta-00042.example.net. > The question is not kskroll-sentinel-is-ta-original.example.com. > > I really don't understand your question -- please help. > W > > > >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: [email protected] >> >> _______________________________________________ >> DNSOP mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dnsop > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
