To:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc:
lewis@tislabs.com (Edward Lewis), dnsop@cafax.se
From:
Edward Lewis <lewis@tislabs.com>
Date:
Thu, 13 Apr 2000 12:03:36 -0400
In-Reply-To:
<200004131553.AAA14982@necom830.hpcl.titech.ac.jp>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Off-tree validation
At 11:53 AM -0400 4/13/00, Masataka Ohta wrote: >The answer can be: secured, not secured or unknown (because of server >failure or DoS). Depends on which side you are looking at the problem from. From the zone side there are two states: secured and unsecured. From the resolver side there are three states: secures, unsecured, and not sure. I have been writing from the zone point of view. >That is, as I pointed it out from the beginning, authentication that >a zone is insecure is useless. I disagree. If I get an answer from a zone that has no SIG record attached, should I seek the SIG record? If I can be reliably (securely) told that the zone has not signatures, I will accept the answer as it is. If I am securely told otherwise, I will ask for a better answer and (perhaps) discard what I have received. If I am told nothing, I should be able to identify the point at which the uncertainty starts, and if I am a problem solver, I know where to begin. It is useful to know when to give up hope. ;) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com "Trying is the first step to failure." - Homer Simpson "No! Try not. Do... or do not. There is no try." - Yoda "It takes years of training to know when to do nothing" - Dogbert 1/21/00 Opinions expressed are property of my evil twin, not my employer.