To:
dnssec@cafax.se
Cc:
lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Wed, 13 Jun 2001 13:02:16 -0400
Delivery-Date:
Thu Jun 14 07:44:46 2001
Sender:
owner-dnssec@cafax.se
Subject:
Verisign's opt-in twist
I was visiting Mark Kosters about a week ago and saw an interesting
proposal for "opt-in" that could obviate the need for NULL keys. I'm
presenting this for Mark and his folks as he's busy...
To indicate a unsecured delegation, a parent zone would answer like this:
answer (or authority)[1]:
NS set for the unsecured domain
authority:
previous-secured-domain NXT following-secured-domain <types>
In other words, the unsecured domain query answers with the valid NS set,
but in the authoritative section the same domain is NXT'd out (of the
secured portion of the domain). The return code is NOERROR, not to confuse
with NXDOMAIN.
E.g. For .test, domains a, b, e are secured, c is not, and d does not exist.
query for a's NS set:
return code: NOERROR
answer: a.test. NS <name server>
authority:
query for c's NS set:
return code: NOERROR
answer: c.test. NS <name server>
authority: b.test. NXT e.test NS SIG KEY NXT
query for d's NS set:
return code: NXDOMAIN
answer: <empty>
authority: b.test. NXT e.test NS SIG KEY NXT
Flames to Mark & Verisign (its their idea). If you like it, remember you
heard it from me first! ;)
[1] Answer section if the query was for the NS set. If the reply is a
referral, this would be in the authority too.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis NAI Labs
Phone: +1 443-259-2352 Email: lewis@tislabs.com
You fly too often when ... the airport taxi is on speed-dial.
Opinions expressed are property of my evil twin, not my employer.