To:
DNSEXT <namedroppers@ops.ietf.org>
Cc:
Mark Kosters <markk@netsol.com>, <dnssec@cafax.se>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Fri, 29 Jun 2001 22:02:46 +0200 (MEST)
Delivery-Date:
Sat Jun 30 08:11:41 2001
In-Reply-To:
<Pine.BSO.4.31.0106291818540.32641-100000@fonbella.crt.se>
Sender:
owner-dnssec@cafax.se
Subject:
Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
I have more comments after some more out-of-band discussions with roy, dan & mats. at first, a opt-in zone is perhaps a somewhat bad name. what we really mean is "a zone that may contain unsigned data". to achive this we have at least two options. we either have a flag somewhere (in KEY, SEC or what have we) that toggles the semantics of the NXT records for a zone to change from "authenticated denial of existance" into "authenticated denial of security". an alternative solution would be to add another RR for authenticated denial. the rfc 2535 semantics for NXT remain. the new RR would include a flag that specifies if it denies existance of everything or denies existance of security. this could be a RR similar to NXT or NO but with a flag field added. jakob