To:
Miek Gieben <miekg@nlnetlabs.nl>
Cc:
Scott Rose <scottr@antd.nist.gov>, <dnssec@cafax.se>, DNSEXT WG Mailing list <namedroppers@ops.ietf.org>
From:
Roy Arends <Roy.Arends@nominum.com>
Date:
Wed, 4 Jul 2001 14:31:48 +0200 (CEST)
In-Reply-To:
<20010704140646.B37537@atoom.net>
Sender:
owner-dnssec@cafax.se
Subject:
Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
On Wed, 4 Jul 2001, Miek Gieben wrote: > [On 03 Jul, 2001, Scott Rose wrote in " I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt "] > > > > If the group decides to use a bit to determine the opt-in status (I haven't > > decided if I like the idea or not - right now I'm leaning towards "not" but > > don't have a better solution yet) - let's pick an unused number to avoid any > > which zones are going to use opt-in? .com and .net? Can't we just say > that we will never do DNSSEC on .com/.net and friends. If you want to > be secure get your secure domainname under .secure? 1) There is the RFC-1035 style zone (unsigned) 2) There is the RFC-2535 style zone (fully signed) 3) There is the opt-in style zone (partially signed) 1) is used now. 2) is DNSSEC. 3) is what this discussion is about. Combining 1+2. The opt-in draft describes the opt-in style as a combined view of 1+2. Other arguments merely are about combining the two styles in one zone. Not through server configuration (ie having to combine 2 zones/views). It is absolutely of NO IMPORTANCE if .com/.net and friends go for 3. It would still be DNSSEC for their signed delegations. The effort that Verisign is making (opt-in draft) shows that they want DNSSEC. Which is a big step forward. In general, using optin relieves large TLD's for signing each and every individual Resource Record and creating (null/real)keys + sig + nxt + sig over unsigned delegations. Going through the ICANN process and obtaining the .secure TLD seems very heavy. And next to that, the .secure TLD registry probably wants opt-in too. Roy Arends Nominum