[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Roy Arends <Roy.Arends@nominum.com>
cc: DNSEXT <namedroppers@ops.ietf.org>, <dnssec@cafax.se>
From: Mats Dufberg <dufberg@nic-se.se>
Date: Thu, 5 Jul 2001 01:45:26 +0200 (CEST)
Delivery-Date: Thu Jul 5 12:17:48 2001
In-Reply-To: <Pine.BSF.4.33.0107032119330.8709-100000@node10c4d.a2000.nl>
Sender: owner-dnssec@cafax.se
Subject: Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt

On Tue, 3 Jul 2001, Roy Arends wrote:

> There is no NXT/NO problem that has to be solved by SEC. Both RR types can
> be in a zone, the server serves it, the resolver interprets it. I don't
> see why a SEC record should indicate that there are NO records in a zone
> or NXT records in zone. The response clearly has either NXT or NO in its
> response.
>
> (The only reason for a SEC record I can think of is to indicate that there
> are neither NO nor NXT records. That would obsolete opt-in all together)
>
> Note that this is not a "what to expect" thing. If the parent states that
> a child is signed, the resolver expects either NXT or NO. (NO RR is still
> draft ofcourse).
>
> It is a chicken or egg thing. If there exists no SEC RR for the child,
> it gets either NXT or NO.

If a signed zone without neither NXT nor NO is to be permitted, then that
could be signaled by one NXT record, at the apex, with an RDATA not
possible in the normal use of NXT.


Mats

-----------------------------------------------------------------
Mats Dufberg                                     +46-8-545 857 06
dufberg@nic-se.se                           fax: +46-8-545 857 29




Home | Date list | Subject list