To:
"Scott Rose" <scottr@antd.nist.gov>
Cc:
<dnssec@cafax.se>, <lewis@tislabs.com>
From:
Edward Lewis <lewis@tislabs.com>
Date:
Wed, 13 Jun 2001 15:11:57 -0400
Delivery-Date:
Thu Jun 14 07:44:56 2001
In-Reply-To:
<011801c0f42d$46f76d20$b9370681@antd.nist.gov>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Verisign's opt-in twist
At 1:21 PM -0400 6/13/01, Scott Rose wrote: >So in other words, the NXT chain in .test goes like this? Not quite, the zone apex is included too. >(other record omitted) > >a.test NS >a.test NXT b.test >b.test NS >b.test NXT e.test >c.test NS >e.test NS >e.test NXT a.test > So, presuming just the above records, the e.test NXT would be: #e.test NXT test with, of course, at the apex: #test SOA (and what not) #test NXT a.test >The NXT chain only covers the secured namespace? I'm not sure if that's the >best solution since the unsecured names are no longer covered by the NXT >records. It seems to be altering the definition/use of the NXT records - >which a lot of people don't like to begin with. > >or am I not getting the picture? The rationale is that unsecured zones are just as at risk as they are now. The upside is that there are no wasted cycles generating NXT's and KEY's for them. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.