[Dnssec-deployment] DNSSEC for IPv4 multicast addresses
Ed.Lewis at neustar.biz
Thu Jul 7 13:28:07 EDT 2011
At 18:18 +0200 7/7/11, Peter Koch wrote:
>When you are using 239/8 reverse you either sign it and provide your
>own trust anchor or you teach the resolver (hear hear) that 239/8 is
>provably insecure. Do people feel that making 239/8 reverse provably
>insecure globally would be really preferrable?
I think I ran into this a while ago. I asked "how can you make a
subtree appear to be un-signed when the parent of it says it is"
inside a resolver. This related to split DNS.
E.g., root->tld.(signed)->enterprise.tld.(signed) for the internet
but inside my enterprise net I want enterprise.tld. to be unsigned.
(Because I'm running something that dynamically adds to the DNS that
is not DNSSEC capable.)
In the reverse, I can make it happen. I can have enterprise.tld be
unsigned in the signed tld zone (no DS) and then insert a trust
anchor for it in my resolver (which is also forwarding all
enterprise.tld. queries to a set of servers running it as signed).
Using 10/8 as my example, if (world *) 10/8 was signed by IANA then I
would have to sign (my *) 10/8 if a validating resolver had the root
key. If (world *) 10/8 is not signed, then I have the option to sign
(my *) 10/8 or not. In either case, if I sign (my *) 10/8 I have to
then distribute the SEP to all validators of interest.
As Peter writes: "or you teach the resolver that 239/8 is provably
insecure" - can this be done in tools today? If you can't I'd say
making it provably insecure would be preferrable.
NeuStar You can leave a voice message at +1-571-434-5468
I'm overly entertained.
More information about the Dnssec-deployment