At the moment? Nothing. On 21/11/2009, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: > On Fri, 20 Nov 2009, Jeffrey Ollie wrote: > >> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath@xxxxxxxxxx> >> wrote: >> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote: >> > >> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath@xxxxxxxxxx> >> >> wrote: >> >> > >> >> > So, for example 'fedoraproject.org' wouldn't be signed, but >> >> > 'us.fedoraproject.org' would be? I *think* that's possible but I >> >> > haven't >> >> > gotten it to work. If I can get that to work though I guess that >> >> > makes >> >> > sense because A) it'd work for now and B) I'm sure over time pdns's >> >> > dnssec >> >> > will continue to mature. >> >> >> >> No, that wouldn't really work, because then you couldn't trust lookups >> >> from the fedoraproject.org zone, which would include delegations to >> >> the subdomains, the main website itself, MX records, etc. >> >> >> > >> > But if fedoraproject.org pointed to some place that wasn't signed or was >> > signed incorrectly, wouldn't that fail? >> >> fedoraproject.org can't be a CNAME because it has other records like >> MX, NS, SOA, etc. We'd have to switch to using >> 'www.fedoraproject.org' which could be a CNAME into an unsigned >> subzone. >> >> But then you'd still have the problem of relying on an unsigned zone >> serving up DNS data, eventually no one is going to trust it. >> > > At this very moment, what is dnssec buying us? > > -Mike -- Sent from my mobile device -- Nigel Jones _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
