D. J. Bernstein writes ("Re: An easy example of A6 unreliability"):
> The SIG semantics don't have to be modified. When the server copies the
> A record, it can also move it into its own zone, sign it, and change the
> NS record accordingly.
This would I think be rather poor practice on the part of the server.
Signing something just because someone else signed something is not
usually a good idea, and usually indicates a design error somewhere.
Now you'll probably just agree with me and tell us that the design
error is that the NS record contains an A :-).
Still, at first glance it doesn't seem like a very good idea. If
people still seem to think it is then I suppose I should think about
it harder and see what potential attacks there are.
Ian.
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
