[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Mark Kosters <markk@netsol.com>, Roy Arends <Roy.Arends@nominum.com>
Cc: Edward Lewis <lewis@tislabs.com>, dnssec@cafax.se
From: Edward Lewis <lewis@tislabs.com>
Date: Thu, 12 Jul 2001 17:18:26 -0400
Delivery-Date: Fri Jul 13 09:35:40 2001
In-Reply-To: <20010712151942.E2079@slam.admin.cto.netsol.com>
Sender: owner-dnssec@cafax.se
Subject: opt-in & unsigned rrsets

This is getting to be a bumpy ride. ;)  I've tried a few times to reply to
the opt-in and unsigned rrsets drafts, but so far have been stymied.  The
two drafts are very similar but very different.  Perhaps I need another
night of sleep, but it seems that we want to change the way NXT is used to
do two things.  One is to lessen the burden of unsecured delegations and
the other is to manage unsigned data.

One possibilitiy is to stick with the NXT, but for an unsecured delegation,
place some value in the types present bit map.  For unsigned data at a
name, we could define a null SIG RR.

I'm just throwing these out, I know they aren't solving all the problems we
have.

I suppose I do want to ask:

1) Is the threat of unauthorized, unsecured delegations a problem big
enough that a registry would want to seal a zone of largely unsecured
delegations?  Is the problem the NXT chain or the NULL key management?

2) Would it be sufficient to go secured/unsecured by domain and not by set?
I.e., a host's A and HINFO might both have to be signed, or both have to be
unsigned - or do we want to alloe a host to have a signed A and an unsigned
HINFO?

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.



Home | Date list | Subject list