DNS Sec
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Sun Oct 15 12:59:50 UTC 2000
> I'm trying to hack bind to allow for a*.domain.com to work (as opposed to
> the current wildcarding of *.domain.com, which applies only to an entire
> label). However, I was then told that this would not work with Bind 9's DNS
> SEC feature. Does anyone here know why that is?
It could be made to work, you would have to teach the signer
about these labels and make them appear to have *.domain.com
as the owner. The NXT chain would also have to appear as
if they were *.domain.com as well.
Conceptually you are giving out different answers, with
corresponding SIGs, for matches against *.domain.com based
apon the query name.
Another alternative is to have the keys online and just sign
on the fly. This is cpu intensive.
Mark
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list