[dnssec-deployment] split-view DNSSEC Best Current Practices
Suresh Krishnaswamy
suresh at tislabs.com
Wed Jan 12 12:47:59 EST 2005
> I see your advice is DON'T. I fear this
> won't be enough,
Steve,
This advise is not as strongly worded in the BCP; but the BCP does
encourage steering away split-views as much as possible. This is
not because it is impossible to configure split-views with DNSSEC, but
because of the fragility of the set up. It is very easy to invalidate the
entire set up through what might appear to be a simple configuration
error.
The document also makes the recommendation for using split-namespaces
(where all sensitive names are placed under a private delegation) when
name hiding is the main objective for splitting worlds. The
best practices document for split-namespaces is currently work in
progress.
Suresh Krishnaswamy
SPARTA, Inc
More information about the Dnssec-deployment
mailing list