[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ymbk-6to4-arpa-delegation-00.txt





--On 15. november 2002 13:16 -0500 Harald Tveit Alvestrand <harald@alvestrand.no> wrote:


--On 11. november 2002 13:32 -0800 Alain Durand <Alain.Durand@sun.com>
wrote:

I would like not to change it too, but the alternative to create records
on the fly in the DNS servers is an invitation for DOS attack on
DNSsec...
why?

the synthesized records are "like" glue records, aren't they?
so they shouldn't be signed anyway....?
I was corrected by Rob Austein.
If we want to be able to use DNSSEC at the 6to4 leaf nodes, the synthesized record set has to include a (signed) DS record.

And then it gets ugly.....

Harald