On Thu, 2004-08-26 at 07:22, william(at)elan.net wrote:
On Thu, 26 Aug 2004, Roger Moser wrote:
Shelby, again: The spammer cannot find out that there is a subdomain
user._spf.example.com. If your name server allows to find out the names of
the subdomains, then it is misconfigured and you should immediatley fix it.
That is not quite so if you configure DNSSEC, since then you must allow for
transfer of entire zone (signed obviously) and this reveals all subdomains.
This has been one of the problems that maybe stopping wider use of DNSSEC.
What happens to dynamic lookups then?
Say you set up hashme.example.com to return hashes, so that a query to
variable.hashme.example.com returns a 4-byte hash of "variable"?
Would DNSSEC require that you allow zone transfers of all possible
values of "variable" for variable.hashme.example.com?
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com