To:
Jakob Schlyter <jakob@crt.se>
Cc:
DNSEXT <namedroppers@ops.ietf.org>, dnssec@cafax.se
From:
Mark Kosters <markk@netsol.com>
Date:
Tue, 3 Jul 2001 14:39:02 -0400
Content-Disposition:
inline
Delivery-Date:
Wed Jul 4 09:39:14 2001
In-Reply-To:
<Pine.BSO.4.31.0106291818540.32641-100000@fonbella.crt.se>; from jakob@crt.se on Fri, Jun 29, 2001 at 06:39:23PM +0200
Sender:
owner-dnssec@cafax.se
User-Agent:
Mutt/1.2.5i
Subject:
Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
On Fri, Jun 29, 2001 at 06:39:23PM +0200, Jakob Schlyter wrote: > I think the opt-in flag should be moved to a separate RR, a modified > version of Ed Lewis SEC RR would probably we a good choice (although I > would perhaps like to call it ZSS for Zone Security Status instead). I agree with having some sort of way of indicating the type of dnssec that is offered by that particular zone. This would also help with the NXT/NO problem as well. We used an unused bit in the KEY RR for opt-in given there was no other alternative. > the opt-in flag is a per zone flag. as there could be multiple zone keys > and if KEY would include this flag, all zone keys has to have the same > flag (for that bit). also, as the zone key are signed by the parent, the > child can not change from/to opt-in without having the parent sign the > child's key. That brings up a question. Is it better or worse for this to be stored in the parent so the resolver knows what type of zone it is dealing with before it queries the child? Mark -- Mark Kosters markk@netsol.com Verisign Applied Research