DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Mark Kosters <markk@netsol.com>
Cc: namedroppers@ops.ietf.org, dnssec@cafax.se
From: Roy Arends <Roy.Arends@nominum.com>
Date: Fri, 29 Jun 2001 07:30:48 +0200 (CEST)
Delivery-Date: Fri Jun 29 09:14:13 2001
In-Reply-To: <200106271101.HAA25179@ietf.org>
Sender: owner-dnssec@cafax.se
Subject: Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt

On Wed, 27 Jun 2001 Internet-Drafts@ietf.org wrote:

> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the DNS Extensions Working Group of the IETF.
> 
> 	Title		: DNSSEC Opt-in for Large Zones
> 	Author(s)	: M. Kosters
> 	Filename	: draft-ietf-dnsext-dnssec-opt-in-00.txt
> 	Pages		: 9
> 	Date		: 26-Jun-01
> 	

Mark, I'm convinced this is a good idea, though a few first thoughts after
reading the draft:

1) wrt opt-in, a NXT record indicates that a delegation is not secured by
specifying the signed owner name before and after the unsecured owner
name. Thus it indicates "authenticated denial of security" instead of
"authenticated denial of existence". Should the type bit map interpreted
as "type does not exist" or "type is not signed" ?

2) To indicate opt-in, a bit is set in the flag-field of the zone KEY.
When I decide to sign the zone with an "opt-in" zone KEY and I sign the
zone with a vanilla zone KEY (I can sign the zone with more than 1 KEY),
there is no way of indicating how to create NXT RR. Would there be two NXT
RR, one for opt-in view, one for rfc2535-style ? This is in my opinion
very difficult to realise and probably breaks the scheme. Temporarily
signing with both keys might be necessary when I'm moving from a
rfc2535-style to opt-in-style or vice versa.

3) Should we extend "authenticated denial of security" for unsecure
delegations (as specified in the draft) to any RRset ?

4) If opt-in is generally conceived as a good idea, should backwards
compatibility be enforced by also permitting rfc2535-style zones ? We are
already searching for an alternative to sig@child, which is not backward
compatible (though of a different level) with rfc2535, next to that,
rfc2535 style zone's are not widely deployed. To my knowledge there are
some testbeds (cairn, tislabs, sigz, nl.nl, etc) though I've not seen a
full deployment of DNSSEC. 

My .02 Euro,

Regards,

Roy Arends
Nominum

Follow-Ups:
- Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
  - From: Mark Kosters <markk@netsol.com>
- Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
  - From: Roy Arends <Roy.Arends@nominum.com>
- Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
  - From: Mats Dufberg <dufberg@nic-se.se>

Prev by Date: Re: ttl problems in DNSSEC
Next by Date: Re: ttl problems in DNSSEC
Prev by thread: Re: ttl problems in DNSSEC
Next by thread: Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
Index(es):
- Date
- Thread

Home | Date list | Subject list