To:
dnssec@cafax.se
Cc:
lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Wed, 13 Jun 2001 13:02:16 -0400
Delivery-Date:
Thu Jun 14 07:44:46 2001
Sender:
owner-dnssec@cafax.se
Subject:
Verisign's opt-in twist
I was visiting Mark Kosters about a week ago and saw an interesting proposal for "opt-in" that could obviate the need for NULL keys. I'm presenting this for Mark and his folks as he's busy... To indicate a unsecured delegation, a parent zone would answer like this: answer (or authority)[1]: NS set for the unsecured domain authority: previous-secured-domain NXT following-secured-domain <types> In other words, the unsecured domain query answers with the valid NS set, but in the authoritative section the same domain is NXT'd out (of the secured portion of the domain). The return code is NOERROR, not to confuse with NXDOMAIN. E.g. For .test, domains a, b, e are secured, c is not, and d does not exist. query for a's NS set: return code: NOERROR answer: a.test. NS <name server> authority: query for c's NS set: return code: NOERROR answer: c.test. NS <name server> authority: b.test. NXT e.test NS SIG KEY NXT query for d's NS set: return code: NXDOMAIN answer: <empty> authority: b.test. NXT e.test NS SIG KEY NXT Flames to Mark & Verisign (its their idea). If you like it, remember you heard it from me first! ;) [1] Answer section if the query was for the NS set. If the reply is a referral, this would be in the authority too. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.