[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Mats Dufberg <dufberg@nic-se.se>
Cc: Roy Arends <Roy.Arends@nominum.com>, Mark Kosters <markk@netsol.com>, namedroppers@ops.ietf.org, dnssec@cafax.se
From: Roy Arends <Roy.Arends@nominum.com>
Date: Mon, 2 Jul 2001 14:15:21 +0200 (CEST)
In-Reply-To: <Pine.BSF.4.30.0106291918560.3719-100000@spider.nic-se.se>
Sender: owner-dnssec@cafax.se
Subject: Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt

On Fri, 29 Jun 2001, Mats Dufberg wrote:

> On Fri, 29 Jun 2001, Roy Arends wrote:
> > 4) If opt-in is generally conceived as a good idea, should backwards
> > compatibility be enforced by also permitting rfc2535-style zones ? We are
> > already searching for an alternative to sig@child, which is not backward
> > compatible (though of a different level) with rfc2535, next to that,
> > rfc2535 style zone's are not widely deployed. To my knowledge there are
> > some testbeds (cairn, tislabs, sigz, nl.nl, etc) though I've not seen a
> > full deployment of DNSSEC.
> I find the opt-in alternative a goot suggestion, which will ease the
> deployment of DNSsec. But it would be a bad idea not to have the full NXT
> (as defined in RFC 2535).
> During the transition period we will have zone with mixed data (both
> signed and unsigned), but eventually there will be fully signed (secured)
> subtrees.
> If you have a fully signed tree there is not much (if any)  gained from
> the opt-in alternative, but you will not have the fully authenticated
> denial of existence, which means that a fake non-secured subdomain can be
> spoofed.

Note that a malicious user has little if not nothing to gain by faking a
delegation (as in creating a domain that until now did not exist). In
general, a malicious user would want to spoof an existing domain. A
secured existing domain can not be spoofed (regardless if the zone was
opt-in or rfc2535 signed). An unsecured existing domain can always be
spoofed (regardless if the zone was opt-in or rfc2535 signed), because
glue will never be signed.

> Opt-in is good only if full NXT is kept.

Backwards compatibility is no problem, as long as the ambiguity in the NXT
record has to be solved (and I think then using a bit in the KEY does not
solve that).


Roy Arends

Home | Date list | Subject list