On Wed, Nov 12, 2014 at 04:06:25PM -0500, Michael Richardson wrote: > > What about, in the case where the signing is elsewhere, that the CPE should > be a local secondary for the zone?
Under DNSSEC, either the CPE has to be in the NS RRset (because otherwise it would fail validation; but this exposes an NS on the CPE to the world), or else it's not. I guess the idea is to answer authoritatively without being in the NS RRset? Some resilience mechanisms will treat that as a ijacking attempt, but I suppose if validation passes they shouldn't. > Use whatever dnssd WG creates for multi-links. Yes, well, they're going to have the same problem with DNSSEC for the same reason. > > driving us was a desire not to have that restriction. Otherwise, the > > CPE has to be a DNS server for some but not all names inside the > > homenet, and a forwarder for the rest of them. That seems a little > > complicated. > > dnsmasq does exactly this already.... so running code. Really? Last I looked, dnsmasq answered authoritatively for names for which it was configured. So you're suggesting that you _not_ configure the names served by the Public Authoritative in the homenet? The CPE still knows about these, of course, because they're the basis for the hidden master. A -- Andrew Sullivan [email protected] _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
