To:
Edward Lewis <lewis@tislabs.com>
Cc:
dnssec@cafax.se
From:
Roy Arends <Roy.Arends@nominum.com>
Date:
Thu, 14 Jun 2001 03:12:13 +0200 (CEST)
Delivery-Date:
Thu Jun 14 07:45:16 2001
In-Reply-To:
<v03130300b74d49aa4f9a@[192.94.214.133]>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Verisign's opt-in twist
On Wed, 13 Jun 2001, Edward Lewis wrote:
> I was visiting Mark Kosters about a week ago and saw an interesting
> proposal for "opt-in" that could obviate the need for NULL keys. I'm
> presenting this for Mark and his folks as he's busy...
>
> To indicate a unsecured delegation, a parent zone would answer like this:
>
> answer (or authority)[1]:
> NS set for the unsecured domain
> authority:
> previous-secured-domain NXT following-secured-domain <types>
>
> In other words, the unsecured domain query answers with the valid NS set,
> but in the authoritative section the same domain is NXT'd out (of the
> secured portion of the domain). The return code is NOERROR, not to confuse
> with NXDOMAIN.
A nice side-effect is that by using this scheme, a signed zone could allow
verifiably unsigned RRsets (1). For instance, Adding RRsets to a zone
through secure dynamic update, already being published (verifiably
unsigned) in a signed zone until the next scheduled signing session. This
would relief a signing entity from unscheduled (re)generation of NXT and
(re)signing of NXT in a signed zone.
(1) An example of a verifiable unsigned RRset:
query for an A record for host.example.com.
return code: NOERROR
answer: host.example.com. A <IP>
authority: alfa.example.com. NXT kappa.example.com. MX SIG NXT
alfa.example.com. SIG NXT rdata...
Regards,
Roy Arends
Nominum.