Home page logo
/

nanog logo nanog mailing list archives

Re: What do people use public suffix for?
From: Jimmy Hess <mysidia () gmail com>
Date: Fri, 19 Apr 2013 18:33:25 -0500

On 4/19/13, Dave Crocker <dhc2 () dcrocker net> wrote:
On 4/19/2013 12:57 PM, Tony Finch wrote:
To reinforce Joe's point, there doesn't even need to be a zone cut for
there to be an administrative cut. There are various ISPs and dynamic DNS
providers that put all their users in the same zone, and the common
[snip]

In this case, there really is no administrative cut though... the
provider administers the DNS record.

The fact that they often correlate moderately well makes it easy to miss
the facts that a) that's not their job, and b) the correlation isn't
perfect.  And the imperfections matter.

That is why there is the current interest in developing a cheap,
accurate method that /is/ intended to define organizational boundaries.


It seems this is more about providing a security function to DNS, to
inform the public, about where the responsible parties change.

The right place for this, is clearly the  DNSSEC extensions....

If  the DS record identifies a different signer, then you have an
administrative split,
or if the e-mail address field in the SOA fields of the parent zone
are different, then you have an administrative split, OR if one of the
two zones has  RP (responsible party records),  and the list of RP
records are different for the two zones, then you have an
administrative split.


If the DS record identifies the same signer, AND    the    e-mail
address in the SOA records is the same;  or the  list of e-mail
addresses in the two zones'   RP records are identical,
then you don't have an administrative split.


--
-JH


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault