To:
Roy Arends <Roy.Arends@nominum.com>
Cc:
Edward Lewis <lewis@tislabs.com>, Mark Kosters <markk@netsol.com>, dnssec@cafax.se
From:
Mark Kosters <markk@netsol.com>
Date:
Thu, 12 Jul 2001 15:19:42 -0400
Content-Disposition:
inline
Delivery-Date:
Fri Jul 13 09:35:35 2001
In-Reply-To:
<E15Hr65-000OKy-00@psg.com>; from Roy.Arends@nominum.com on Wed, Jul 04, 2001 at 11:09:57AM -0700
Sender:
owner-dnssec@cafax.se
User-Agent:
Mutt/1.3.17i
Subject:
Re: Ideas on opt-in, was Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
On Wed, Jul 04, 2001 at 11:09:57AM -0700, Roy Arends wrote: > The problem is that an administrator can secure a zone as thick as he > wants, a resolver can be tricked into accepting an unsecured record (that > in fact does not exist in the zone) because there is no indication how a > NXT should be interpreted. In this case, the resolver could interpret the > NXT as "nothing is signed between the NXT's label and the next domain > name" while the domain holder meant it as "nothing exists between the > NXT's label and the next domain name". > > That is a loss (though a minor one, I agree) on security. That is why > there should be an indication how to interpret the NXT record. There is > and was no discussion on that. In the draft the indication is done by > setting bit 4 in the KEY flag field. > > This however imposes either "full secured" (bit=0) or "partially secured" > (bit=1) on the whole zone. When the latter is imposed it means there is > absolutely no way of saying "authenticated denial of existence" for some > record. > > When setting a bit in the NXT record, and not in KEY, there is still the > distinction between "full secured (denial of existence)" and "partially > secured (denial of signatures)", though not on a zone basis, but on an > record basis. <getting back to my email while being on vacation - trimmed also to dnssec> This is about the best statement yet on moving the "opt-in" identification from the key rr to the nxt rr. Mark -- Mark Kosters markk@netsol.com Verisign Applied Research