To:
Mark Kosters <markk@netsol.com>, Roy Arends <Roy.Arends@nominum.com>
Cc:
Edward Lewis <lewis@tislabs.com>, dnssec@cafax.se
From:
Edward Lewis <lewis@tislabs.com>
Date:
Thu, 12 Jul 2001 17:18:26 -0400
Delivery-Date:
Fri Jul 13 09:35:40 2001
In-Reply-To:
<20010712151942.E2079@slam.admin.cto.netsol.com>
Sender:
owner-dnssec@cafax.se
Subject:
opt-in & unsigned rrsets
This is getting to be a bumpy ride. ;) I've tried a few times to reply to the opt-in and unsigned rrsets drafts, but so far have been stymied. The two drafts are very similar but very different. Perhaps I need another night of sleep, but it seems that we want to change the way NXT is used to do two things. One is to lessen the burden of unsecured delegations and the other is to manage unsigned data. One possibilitiy is to stick with the NXT, but for an unsecured delegation, place some value in the types present bit map. For unsigned data at a name, we could define a null SIG RR. I'm just throwing these out, I know they aren't solving all the problems we have. I suppose I do want to ask: 1) Is the threat of unauthorized, unsecured delegations a problem big enough that a registry would want to seal a zone of largely unsecured delegations? Is the problem the NXT chain or the NULL key management? 2) Would it be sufficient to go secured/unsecured by domain and not by set? I.e., a host's A and HINFO might both have to be signed, or both have to be unsigned - or do we want to alloe a host to have a signed A and an unsigned HINFO? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.