I've been inactive a long time, but someone alerted me to this message.
(Apologies what below looks like it's from a ranting lunatic. But it is.)
On 4/12/19, 11:31, "DNSOP on behalf of Mark Andrews" wrote:
Well given that the actual rule is all the algorithms listed in the DS RRset
On 4/12/19 07:34, Matthijs Mekking wrote:
I think the logic suggested for ANAME is given this example:
1. Have ANAME and A and sibling address records.
2. Look up ANAME target A and target records.
3. If there is no positive answer (SERVFAIL, NXDOMAIN, NODATA) keep
sibling address
In further support of preserving sibling records when target chasing
comes back negative, I'd like to further explore my offhand mention of
"A and/or records".
For a domain owner wanting to use a currently IPv4-only service provider
(names withheld) while still supporting IPv6, the
On 11 Apr 2019, at 23:45, Matthew Pounsett wrote:
> On Thu, 11 Apr 2019 at 20:02, Richard Gibson
> wrote:
>>
>> The first problem is for the owner of the ANAME-containing zone, for whom
>> the upstream misconfiguration will result in downtime and be extended by
>> caching to the MINIMUM
On 4/11/19 23:45, Matthew Pounsett wrote:
On Thu, 11 Apr 2019 at 20:02, Richard Gibson
wrote:
The first problem is for the owner of the ANAME-containing zone, for whom the
upstream misconfiguration will result in downtime and be extended by caching to
the MINIMUM value from their SOA, which
Well given that the actual rule is all the algorithms listed in the DS RRset
rather than DNSKEY RRset and is designed to ensure that there is always a
signature
present for each of the algorithms that could be used be used to declare that
the child zone is treated as secure, the answer is NO.
Hi -
I had someone ask me (last night!!) whether or not the "must sign each
RRSet with all of the algorithms in the DNSKEY RRSet" rule applies if
the only key with algorithm A in the RRSet has the revoke bit set. A
question I had never previously considered.
Given that you can't trace
Hi!
From: Paul Wouters [mailto:pwout...@redhat.com]
Sent: Wednesday, April 10, 2019 12:49 PM
To: Roman Danyliw
Cc: The IESG ; draft-ietf-dnsop-algorithm-upd...@ietf.org; Tim
Wicinski ; dnsop-cha...@ietf.org; dnsop@ietf.org
Subject: Re: Roman Danyliw's No Objection on
On 4/12/19 1:05 PM, Tony Finch wrote:
> Matthew Pounsett wrote:
>>
>> I feel like this is creating an even bigger potential problem. What
>> happens when the owner of the ANAME target legitimately wants that
>> name to go away, but some other zone owner is leaving an ANAME in
>> place
Matthew Pounsett wrote:
>
> I feel like this is creating an even bigger potential problem. What
> happens when the owner of the ANAME target legitimately wants that
> name to go away, but some other zone owner is leaving an ANAME in
> place pointing to that now-nonexistent name? Continuing to
10 matches
Mail list logo