To:
Olafur Gudmundsson <ogud@ogud.com>
Cc:
dnssec@cafax.se
From:
Edward Lewis <lewis@tislabs.com>
Date:
Wed, 13 Jun 2001 15:20:54 -0400
Delivery-Date:
Thu Jun 14 07:44:58 2001
In-Reply-To:
<5.1.0.14.0.20010612093628.04d4fc30@localhost>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt
One problem with the DK(EY) approach is that is doubles the number of cryptographic checks a resolver needs to perform to verify data. I also think that altering the key publication is missing the true problem. The problem lies in the SIG record. It's the mismatch of the SIG record's generator (the parent) from where the apex is (the child) that is causing the problem. So far we've been concentrating on the TLD/SLD interface. What about the lower levels, where the authoritative server sets may overlap? Would DK(EY) benefit those administrations in a way that offsets the cost of the change? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.