[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Jakob Schlyter <jakob@crt.se>
Cc: DNSEXT <namedroppers@ops.ietf.org>, dnssec@cafax.se
From: Mark Kosters <markk@netsol.com>
Date: Tue, 3 Jul 2001 14:39:02 -0400
Content-Disposition: inline
Delivery-Date: Wed Jul 4 09:39:14 2001
In-Reply-To: <Pine.BSO.4.31.0106291818540.32641-100000@fonbella.crt.se>; from jakob@crt.se on Fri, Jun 29, 2001 at 06:39:23PM +0200
Sender: owner-dnssec@cafax.se
User-Agent: Mutt/1.2.5i
Subject: Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt

On Fri, Jun 29, 2001 at 06:39:23PM +0200, Jakob Schlyter wrote:
> I think the opt-in flag should be moved to a separate RR, a modified
> version of Ed Lewis SEC RR would probably we a good choice (although I
> would perhaps like to call it ZSS for Zone Security Status instead).

I agree with having some sort of way of indicating the type of dnssec
that is offered by that particular zone. This would also help with the
NXT/NO problem as well. We used an unused bit in the KEY RR for opt-in
given there was no other alternative.

> the opt-in flag is a per zone flag. as there could be multiple zone keys
> and if KEY would include this flag, all zone keys has to have the same
> flag (for that bit). also, as the zone key are signed by the parent, the
> child can not change from/to opt-in without having the parent sign the
> child's key.

That brings up a question. Is it better or worse for this to be stored in the
parent so the resolver knows what type of zone it is dealing with before it
queries the child?

Mark

-- 

Mark Kosters             markk@netsol.com       Verisign Applied Research

Home | Date list | Subject list