To:
"Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
cc:
dnssec@cafax.se
From:
Brian Wellington <Brian.Wellington@nominum.com>
Date:
Thu, 29 Aug 2002 08:34:03 -0700 (PDT)
In-Reply-To:
<3C1E3607B37295439F7C409EFBA08E680E2DBF@US-Columbia-CIST.mail.saic.com>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Dynamic update, signed zones, and DS/Opt-in
On Wed, 28 Aug 2002, Loomis, Rip wrote: > - With opt-in on each record (which I was previously > against, but which is at least a possibility), I > could allow dynamic hosts to opt-out...so that > I could secure the "main" records in a zone but > allow mobile/dynamic update folks to change their > data without requiring a whole new set of NXT/ > SIG records. (yes, I know that opt-in might be > near death right now...I'm just wondering if > the "opt-in on each record" case that Verisign > strongly advocated might not have another benefit.) For the record, this doesn't quite work. When names are added or deleted, even if unsigned, this might cause NXTs to be modified to either add or delete the NXT bit, and they will need to be resigned. Also, the SOA needs to be updated and resigned. As it stands, opt-in is not useful for dynamic zones, since there's no way to specify whether the new records should be signed or not. Brian