[Dnssec-deployment] DNSSEC for IPv4 multicast addresses

[Edward Lewis]

At 18:18 +0200 7/7/11, Peter Koch wrote:

>When you are using 239/8 reverse you either sign it and provide your
>own trust anchor or you teach the resolver (hear hear) that 239/8 is
>provably insecure.  Do people feel that making 239/8 reverse provably
>insecure globally would be really preferrable?

I think I ran into this a while ago.  I asked "how can you make a 
subtree appear to be un-signed when the parent of it says it is" 
inside a resolver.  This related to split DNS.

E.g., root->tld.(signed)->enterprise.tld.(signed) for the internet 
but inside my enterprise net I want enterprise.tld. to be unsigned. 
(Because I'm running something that dynamically adds to the DNS that 
is not DNSSEC capable.)

In the reverse, I can make it happen.  I can have enterprise.tld be 
unsigned in the signed tld zone (no DS) and then insert a trust 
anchor for it in my resolver (which is also forwarding all 
enterprise.tld. queries to a set of servers running it as signed).

Using 10/8 as my example, if (world *) 10/8 was signed by IANA then I 
would have to sign (my *) 10/8 if a validating resolver had the root 
key.  If (world *) 10/8 is not signed, then I have the option to sign 
(my *) 10/8 or not.  In either case, if I sign (my *) 10/8 I have to 
then distribute the SEP to all validators of interest.

As Peter writes: "or you teach the resolver that 239/8 is provably 
insecure" - can this be done in tools today?  If you can't I'd say 
making it provably insecure would be preferrable.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

I'm overly entertained.