[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Edward Lewis <lewis@tislabs.com>
Cc: dnssec@cafax.se
From: Roy Arends <Roy.Arends@nominum.com>
Date: Thu, 14 Jun 2001 03:12:13 +0200 (CEST)
Delivery-Date: Thu Jun 14 07:45:16 2001
In-Reply-To: <v03130300b74d49aa4f9a@[192.94.214.133]>
Sender: owner-dnssec@cafax.se
Subject: Re: Verisign's opt-in twist

On Wed, 13 Jun 2001, Edward Lewis wrote:

> I was visiting Mark Kosters about a week ago and saw an interesting
> proposal for "opt-in" that could obviate the need for NULL keys.  I'm
> presenting this for Mark and his folks as he's busy...
> 
> To indicate a unsecured delegation, a parent zone would answer like this:
> 
>       answer (or authority)[1]:
>            NS set for the unsecured domain
>       authority:
>            previous-secured-domain  NXT following-secured-domain <types>
> 
> In other words, the unsecured domain query answers with the valid NS set,
> but in the authoritative section the same domain is NXT'd out (of the
> secured portion of the domain).  The return code is NOERROR, not to confuse
> with NXDOMAIN.

A nice side-effect is that by using this scheme, a signed zone could allow
verifiably unsigned RRsets (1). For instance, Adding RRsets to a zone
through secure dynamic update, already being published (verifiably
unsigned) in a signed zone until the next scheduled signing session. This
would relief a signing entity from unscheduled (re)generation of NXT and
(re)signing of NXT in a signed zone.

(1) An example of a verifiable unsigned RRset:

query for an A record for host.example.com.
return code: NOERROR
answer: host.example.com. A <IP>
authority: alfa.example.com. NXT kappa.example.com. MX SIG NXT
           alfa.example.com. SIG NXT rdata...

Regards,

Roy Arends
Nominum.


Home | Date list | Subject list