To:
<dnssec@cafax.se>
Cc:
<lewis@tislabs.com>
From:
"Scott Rose" <scottr@antd.nist.gov>
Date:
Wed, 13 Jun 2001 13:21:26 -0400
Delivery-Date:
Thu Jun 14 07:44:49 2001
Sender:
owner-dnssec@cafax.se
Subject:
Re: Verisign's opt-in twist
So in other words, the NXT chain in .test goes like this? (other record omitted) a.test NS a.test NXT b.test b.test NS b.test NXT e.test c.test NS e.test NS e.test NXT a.test The NXT chain only covers the secured namespace? I'm not sure if that's the best solution since the unsecured names are no longer covered by the NXT records. It seems to be altering the definition/use of the NXT records - which a lot of people don't like to begin with. or am I not getting the picture? Scott ----- Original Message ----- From: "Edward Lewis" <lewis@tislabs.com> To: <dnssec@cafax.se> Cc: <lewis@tislabs.com> Sent: Wednesday, June 13, 2001 1:02 PM Subject: Verisign's opt-in twist > I was visiting Mark Kosters about a week ago and saw an interesting > proposal for "opt-in" that could obviate the need for NULL keys. I'm > presenting this for Mark and his folks as he's busy... > > To indicate a unsecured delegation, a parent zone would answer like this: > > answer (or authority)[1]: > NS set for the unsecured domain > authority: > previous-secured-domain NXT following-secured-domain <types> > > In other words, the unsecured domain query answers with the valid NS set, > but in the authoritative section the same domain is NXT'd out (of the > secured portion of the domain). The return code is NOERROR, not to confuse > with NXDOMAIN. > > E.g. For .test, domains a, b, e are secured, c is not, and d does not exist. > > query for a's NS set: > return code: NOERROR > answer: a.test. NS <name server> > authority: > > query for c's NS set: > return code: NOERROR > answer: c.test. NS <name server> > authority: b.test. NXT e.test NS SIG KEY NXT > > query for d's NS set: > return code: NXDOMAIN > answer: <empty> > authority: b.test. NXT e.test NS SIG KEY NXT > > Flames to Mark & Verisign (its their idea). If you like it, remember you > heard it from me first! ;) > > [1] Answer section if the query was for the NS set. If the reply is a > referral, this would be in the authority too. > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Edward Lewis NAI Labs > Phone: +1 443-259-2352 Email: lewis@tislabs.com > > You fly too often when ... the airport taxi is on speed-dial. > > Opinions expressed are property of my evil twin, not my employer. > >