To:
Derek Atkins <warlord@MIT.EDU>
Cc:
David Blacka <davidb@research.netsol.com>, namedroppers@ops.ietf.org, dnssec@cafax.se
From:
Edward Lewis <lewis@tislabs.com>
Date:
Wed, 17 Oct 2001 16:40:10 -0400
In-Reply-To:
<sjmbsj712sv.fsf@rcn.ihtfp.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: comments on delegation signer
At 9:19 PM -0400 10/16/01, Derek Atkins wrote: >I was under the impression that this was implied by the fact that the Either way, the document should make the inclusion of DS or NXT explicit. Mr. Blacka's assessment that stripping data to go from secure to unsecure is a concern. I wonder if that was the thought (that removing data only makes the source appeared to be more secured[1]) behind the NULL KEY RR set way back in the day when DNSSEC was first hammered out. [1] I.e., by removing an insecurity statement, the source appears to be more secure - hence a signature is expected. Since zonejackers can more easily remove records than add seemingly valid signatures, the NULL KEY was the way to go - up until operational considerations made us question the workload needed for the approach. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer.