In message <[EMAIL PROTECTED]>, Florian Weimer writes:
> * Mark Andrews:
>
> >> >> The lack of a macro capability also means that it's basically
> >> >> impossible to secure DNSBL zones with DNSSEC when they contain larger
> >> >> chunks of address space; see the example in section 2.1.
> >> >
> >> > How so?
> >>
> >> The expectation is that error messages generated from TXT records
> >> contain the actual IP addresses which triggered the DNSBL lookups. As
> >> a result, if you list a /16 (say), you need publish 65,536 different
> >> TXT records.
> >>
> >> Currently, these records are synthesized using a macro capability in
> >> the DNS server.
> >
> > Which is independent of DNSSEC. I ask again how this a
> > DNSSEC problem.
>
> I didn't say it was a DNSSEC problem. I just wanted to note it's
> impossible to secure some existing DNSBL zones using DNSSEC without
> sacrificing some of the functionality which is mentioned in section
> 2.1 in the draft.
I still don't believe your claim.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
Ietf mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf
