[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Transition from 2535 to opt-in

To: Brian Wellington <Brian.Wellington@nominum.com>
Subject: Re: Transition from 2535 to opt-in
From: Olaf Kolkman <olaf@ripe.net>
Date: Fri, 30 Nov 2001 08:50:36 +0100
cc: namedroppers@ops.ietf.org, roy.arends@nominum.com, markk@verisign.com, davidb@verisign.com
In-Reply-To: Message from Brian Wellington <Brian.Wellington@nominum.com> of "Thu, 29 Nov 2001 15:51:48 PST." <Pine.LNX.4.33.0111291548380.28207-100000@spratly.nominum.com>


 * I don't think that this is a problem.  If a TLD is opt-in and a resolver
 * is not opt-in capable, it shouldn't contain a trusted-key for that TLD.

How does that work if you enter the zone from a parent? I see that as
long as the root is not signed this is not a problem for a TLD but in
a general case a zone that is supposed to be secure and that uses
opt-in will only have it's secured RRs visible.

For the generic case 2535 verifiers will have a problem with OPT-IN.

--Olaf




to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: Transition from 2535 to opt-in
  - From: Paul A Vixie <vixie@vix.com>
- Re: Transition from 2535 to opt-in
  - From: Roy Arends <Roy.Arends@nominum.com>

References:
- Re: Transition from 2535 to opt-in
  - From: Brian Wellington <Brian.Wellington@nominum.com>

Prev by Date: Re: Transition from 2535 to opt-in
Next by Date: Re: Transition from 2535 to opt-in
Prev by thread: Re: Transition from 2535 to opt-in
Next by thread: Re: Transition from 2535 to opt-in
Index(es):
- Date
- Thread