[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNSSEC Opt In

To: namedroppers@ops.ietf.org
Subject: DNSSEC Opt In
From: Jerry Scharf <scharf@vix.com>
Date: Tue, 21 Nov 2000 16:22:53 -0800
Delivery-date: Tue, 21 Nov 2000 16:33:03 -0800
Envelope-to: namedroppers-data@psg.com

I had a talk with Mark about the draft, and came to the following point that I 
wanted to bring to the group for discussion.

Mark's premise is that the NS list for the secure and non-secure zones is the 
same and that "magic happens" in some way to separate the secure and 
non-secure queries (we discussed several implementation options for this.)

I think that we could look at changing the NS list sets to be explicit. If 
there were separate NS lists for with opt DO and without, then there ther is 
no need for the "magic happens" part of the process. It would mean having some 
way of telling a resolver which opts are covered by this NS set when passing 
the glue back. There is nothing that requires running a zone as opt-in, so we 
can punt doing this for the root.

It does bring up a problem. If this is a precedent for deploying other complex 
options to DNS, they you get into the combinatorial problem of NS sets. I 
believe this is a problem of either the implicit or explicit flavors of this 
solution, but it is more clear in the explicit case. Without having some 
answer for the combinatorial options problem, this becomes a one time bullet.

jerry




to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Prev by Date: Fwd: I-D ACTION:draft-msawyer-dnsext-edns-attributes-00.txt
Next by Date: I-D ACTION:draft-ietf-dnsext-rfc2782bis-00.txt
Prev by thread: I-D ACTION:draft-ietf-dnsext-rfc2782bis-00.txt
Next by thread: Fwd: I-D ACTION:draft-msawyer-dnsext-edns-attributes-00.txt
Index(es):
- Date
- Thread