To:
Roy Arends <Roy.Arends@nominum.com>
cc:
Mark Kosters <markk@netsol.com>, <namedroppers@ops.ietf.org>, <dnssec@cafax.se>
From:
Mats Dufberg <dufberg@nic-se.se>
Date:
Fri, 29 Jun 2001 19:52:29 +0200 (CEST)
Delivery-Date:
Sat Jun 30 08:11:34 2001
In-Reply-To:
<Pine.BSF.4.21.0106290646570.247-100000@node10c4d.a2000.nl>
Sender:
owner-dnssec@cafax.se
Subject:
Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
On Fri, 29 Jun 2001, Roy Arends wrote: > 4) If opt-in is generally conceived as a good idea, should backwards > compatibility be enforced by also permitting rfc2535-style zones ? We are > already searching for an alternative to sig@child, which is not backward > compatible (though of a different level) with rfc2535, next to that, > rfc2535 style zone's are not widely deployed. To my knowledge there are > some testbeds (cairn, tislabs, sigz, nl.nl, etc) though I've not seen a > full deployment of DNSSEC. I find the opt-in alternative a goot suggestion, which will ease the deployment of DNSsec. But it would be a bad idea not to have the full NXT (as defined in RFC 2535). During the transition period we will have zone with mixed data (both signed and unsigned), but eventually there will be fully signed (secured) subtrees. If you have a fully signed tree there is not much (if any) gained from the opt-in alternative, but you will not have the fully authenticated denial of existence, which means that a fake non-secured subdomain can be spoofed. Opt-in is good only if full NXT is kept. Mats ----------------------------------------------------------------- Mats Dufberg +46-8-545 857 06 dufberg@nic-se.se fax: +46-8-545 857 29