This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled


On 02/23/2015 10:03 AM, Florian Weimer wrote:
> It was introduced to a specific failure case spotted with the first
> installment of DNSSEC.
> 
> But the same bit was reused for the second installment of DNSSEC, which
> was totally unrecognizable to implementations of the earlier DNSSEC
> variant.  From their point of view, it could have been something else
> entirely, they wouldn't know that it was still called DNSSEC.
> 
> DO is generally thought of as “DNSSEC supported”, so you are right, but
> in practice, it just means, “you can send me properly formatted resource
> records along with the answer which bear no relationship to the query,
> and I will still pick out those records I'm interested in”.

Just to be clear, you mean to say:

* The DO bit was reused in DNSSECbis.

* DNSSECbis itself is changed significantly from DNSSEC.

	- Uses new RRs.
	- Should not confuse NSEC3-unaware resolvers.
	- Should not cause NSEC-aware resolvers to mark
	  NSEC3-aware systems from being marked as invalid
	  signatures.

* The semantics of the DO bit remain roughly the same.

* The DO bit can continue to be used as expected.

I agree with all of those points. Perhaps my confusion was that you 
wrote "totally unrecognizable" which I interpreted to mean that you
were saying the DO bit had somehow changed semantics.

Cheers,
Carlos.
 


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]