[dnssec-deployment] split-view DNSSEC Best Current Practices
Steve Crocker
steve at shinkuro.com
Wed Jan 12 12:53:15 EST 2005
Thanks. This is definitely an interesting subject. I have the
impression that split view DNS is used very widely,. so I don't hold
much hope for changing that practice, and hence challenges us to provide
useful and practical advice for fitting DNSSEC into those environments.
I'll stay quiet on this until I've had time to read your document.
Thanks,
Steve
Suresh Krishnaswamy wrote:
>
>
>>I see your advice is DON'T. I fear this
>>won't be enough,
>>
>>
>
>Steve,
>
>This advise is not as strongly worded in the BCP; but the BCP does
>encourage steering away split-views as much as possible. This is
>not because it is impossible to configure split-views with DNSSEC, but
>because of the fragility of the set up. It is very easy to invalidate the
>entire set up through what might appear to be a simple configuration
>error.
>
>The document also makes the recommendation for using split-namespaces
>(where all sensitive names are placed under a private delegation) when
>name hiding is the main objective for splitting worlds. The
>best practices document for split-namespaces is currently work in
>progress.
>
>Suresh Krishnaswamy
>SPARTA, Inc
>
>
>
>
More information about the Dnssec-deployment
mailing list