Re: Ideas on opt-in, was Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt

[Mark Kosters <markk@netsol.com>]

On Wed, Jul 04, 2001 at 11:09:57AM -0700, Roy Arends wrote:
> The problem is that an administrator can secure a zone as thick as he
> wants, a resolver can be tricked into accepting an unsecured record (that
> in fact does not exist in the zone) because there is no indication how a
> NXT should be interpreted. In this case, the resolver could interpret the
> NXT as "nothing is signed between the NXT's label and the next domain
> name" while the domain holder meant it as "nothing exists between the
> NXT's label and the next domain name".
> 
> That is a loss (though a minor one, I agree) on security. That is why
> there should be an indication how to interpret the NXT record. There is
> and was no discussion on that. In the draft the indication is done by
> setting bit 4 in the KEY flag field.
> 
> This however imposes either "full secured" (bit=0) or "partially secured"
> (bit=1) on the whole zone. When the latter is imposed it means there is
> absolutely no way of saying "authenticated denial of existence" for some
> record.
> 
> When setting a bit in the NXT record, and not in KEY, there is still the
> distinction between "full secured (denial of existence)" and "partially
> secured (denial of signatures)", though not on a zone basis, but on an
> record basis.

<getting back to my email while being on vacation - trimmed also to
dnssec>

This is about the best statement yet on moving the "opt-in" identification 
from the key rr to the nxt rr.

Mark

-- 

Mark Kosters             markk@netsol.com       Verisign Applied Research