> On Jul 29, 2015, at 10:34 PM, Wessels, Duane <dwess...@verisign.com> wrote: > > Hi Olafur, > > For an RD=0 query to a name server authoritative for the "." zone the client > would send 12345, 23456. > > For an RD=0 query to a name server authoritative for the evil.example zone, > the client would send 9666, 6669. > > For RD=1 queries, I propose that the client send key tags for the trust > anchor whose name has the longest match to the query name. So for an RD=1 > query for verisign.com <http://verisign.com/> it would send 12345, 23456. > For www.evil.example <http://www.evil.example/> it would send 9666, 6669. > Certainly I suppose the "." trust anchor could still validate the > www.evil.example <http://www.evil.example/> response but the client will have > other queries that would result in the "." trust anchor being sent upstream.
Why not include the number of labels to the TA in the option? rather than have “user” chase down with it was for www.evil.examle <http://www.evil.examle/>. evil.example. , example or “.” ? The main usage for this option IMHO is to check if the “local” resolver set is using expected TA’s, and if it is not enable “user” to complain. Olafur > > DW > > From: Olafur Gudmundsson [o...@ogud.com] > Sent: Wednesday, July 29, 2015 9:19 PM > To: Wessels, Duane > Cc: IETF DNSOP WG > Subject: Re: [DNSOP] The EDNS Key Tag Option > > >> On Jul 29, 2015, at 8:09 PM, Wessels, Duane <dwess...@verisign.com >> <mailto:dwess...@verisign.com>> wrote: >> >> Seeing Warren's recent draft on updates of DNSSEC trust anchors encouraged >> me to finish and submit what I think may be a better method for tracking >> trust anchor updates. I've described an edns-key-tag option, which puts >> trust anchor key tags in the EDNS OPT record. It is modeled after RFC >> 6975, which is a way that clients can signal to servers the DNSSEC algorithms >> that they support. >> >> https://datatracker.ietf.org/doc/draft-wessels-edns-key-tag/ >> <https://datatracker.ietf.org/doc/draft-wessels-edns-key-tag/> >> >> Feedback would be welcomed. >> >> Duane W. > > > Duane, > > Question: > Validator has following TA’s configured > . 12345 and 23456 > evil.example 9666 6669 > > The if the query is for > verisign.com <http://verisign.com/> what TA”S are returned > if the query is for > www.evil.example <http://www.evil.example/>. What TA’s are returned ? > > Olafur
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
