DNSSEC ISSUE (Msg: Request is not signed)
Edward Lewis
Ed.Lewis at neustar.biz
Mon Jul 16 12:05:07 UTC 2007
At 14:40 +0900 7/16/07, Curt Sampson wrote:
>I'm curious as to why this is set up this way, though. Wouldn't it make
>sense that authoratative servers, when loading or fetching the zone
>file, validate the data when loaded and then return responses with the
>AD bit set?
That was in the original design of DNSSEC. The problem was that
performing crypto operations takes a long time and the only thing
proven was that your zone file was not corrupted between the time of
signing and the loading of the zone. Too much time for no payoff.
After changing the design, we then spent a lot of time redefining the
"AD" bit. The question was whether the AD bit meant the server felt
the answer was authenticated or if the AD bit meant that the answer
was cryptographically checked. (The two questions are not the same.)
See: ftp://ftp.rfc-editor.org/in-notes/rfc3655.txt
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Think glocally. Act confused.
More information about the bind-users
mailing list