To:
Edward Lewis <lewis@tislabs.com>
Cc:
dnssec@cafax.se
From:
Roy Arends <Roy.Arends@nominum.com>
Date:
Thu, 14 Jun 2001 03:12:13 +0200 (CEST)
Delivery-Date:
Thu Jun 14 07:45:16 2001
In-Reply-To:
<v03130300b74d49aa4f9a@[192.94.214.133]>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Verisign's opt-in twist
On Wed, 13 Jun 2001, Edward Lewis wrote: > I was visiting Mark Kosters about a week ago and saw an interesting > proposal for "opt-in" that could obviate the need for NULL keys. I'm > presenting this for Mark and his folks as he's busy... > > To indicate a unsecured delegation, a parent zone would answer like this: > > answer (or authority)[1]: > NS set for the unsecured domain > authority: > previous-secured-domain NXT following-secured-domain <types> > > In other words, the unsecured domain query answers with the valid NS set, > but in the authoritative section the same domain is NXT'd out (of the > secured portion of the domain). The return code is NOERROR, not to confuse > with NXDOMAIN. A nice side-effect is that by using this scheme, a signed zone could allow verifiably unsigned RRsets (1). For instance, Adding RRsets to a zone through secure dynamic update, already being published (verifiably unsigned) in a signed zone until the next scheduled signing session. This would relief a signing entity from unscheduled (re)generation of NXT and (re)signing of NXT in a signed zone. (1) An example of a verifiable unsigned RRset: query for an A record for host.example.com. return code: NOERROR answer: host.example.com. A <IP> authority: alfa.example.com. NXT kappa.example.com. MX SIG NXT alfa.example.com. SIG NXT rdata... Regards, Roy Arends Nominum.