Hi
(I hope this doesn't mess up threading.. our mail system is apparently
not prepared to handle duplicate mailing list + cc messages ...)
Since Oli Schacher claims to have this draft already implemented, I
wonder, what decisions did you take when implementing this?
Our implementation first asks a validating resolver for the CDS RRSET of
each domain, so we get a first pass from a "random" authoritative
server. If this CDS RRSET already matches the current DS state, then we
abort - because even if another authoritative server would return a
different CDS RRSET it would mean the CDS RRSETs are inconsistent anyway.
If the CDS RRSET does indicate a change request to the status quo, we
fetch ALL IP addresses for each nameserver hostname (from our own
delegation data i.e. glue records if we have them) and also through a
validating resolver. Then we ask each of these IPs directly for the CDS
RRSET and compare the result to the initial answer from the resolver.
> How exactly
> does your implementation works for hostname that resolve to inconsistent
> sets of IP addresses?
We do not check for an inconsistent IP set from all possible resolution
paths, we only verify consistency from one. However, we do have multiple
vantage points for the scan, each with its own local resolver. So if
there was both an inconsistency in IP sets and CDS RRSETs there is still
a chance we would detect it.
Best regards
Oli
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
