[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Miek Gieben <miekg@nlnetlabs.nl>
Cc: Scott Rose <scottr@antd.nist.gov>, <dnssec@cafax.se>, DNSEXT WG Mailing list <namedroppers@ops.ietf.org>
From: Roy Arends <Roy.Arends@nominum.com>
Date: Wed, 4 Jul 2001 14:31:48 +0200 (CEST)
In-Reply-To: <20010704140646.B37537@atoom.net>
Sender: owner-dnssec@cafax.se
Subject: Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt

On Wed, 4 Jul 2001, Miek Gieben wrote:

> [On 03 Jul, 2001, Scott Rose wrote in " I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt "]
> >
> >  If the group decides to use a bit to determine the opt-in status (I haven't
> > decided if I like the idea or not - right now I'm leaning towards "not" but
> > don't have a better solution yet) - let's pick an unused number to avoid any
>
> which zones are going to use opt-in? .com and .net? Can't we just say
> that we will never do DNSSEC on .com/.net and friends. If you want to
> be secure get your secure domainname under .secure?

1) There is the RFC-1035 style zone (unsigned)
2) There is the RFC-2535 style zone (fully signed)
3) There is the opt-in style zone (partially signed)

1) is used now.
2) is DNSSEC.
3) is what this discussion is about. Combining 1+2.

The opt-in draft describes the opt-in style as a combined view of 1+2.
Other arguments merely are about combining the two styles in one zone.
Not through server configuration (ie having to combine 2 zones/views).

It is absolutely of NO IMPORTANCE if .com/.net and friends go for 3. It
would still be DNSSEC for their signed delegations.

The effort that Verisign is making (opt-in draft) shows that they want
DNSSEC. Which is a big step forward.

In general, using optin relieves large TLD's for signing each and every
individual Resource Record and creating (null/real)keys + sig + nxt + sig
over unsigned delegations.

Going through the ICANN process and obtaining the .secure TLD seems very
heavy. And next to that, the .secure TLD registry probably wants opt-in
too.

Roy Arends
Nominum



Home | Date list | Subject list