Re: Transition from 2535 to opt-in

[Roy Arends <Roy.Arends@nominum.com>]

On Fri, 30 Nov 2001, Olaf Kolkman wrote:

>
>  * I don't think that this is a problem.  If a TLD is opt-in and a resolver
>  * is not opt-in capable, it shouldn't contain a trusted-key for that TLD.
>
> How does that work if you enter the zone from a parent? I see that as
> long as the root is not signed this is not a problem for a TLD but in
> a general case a zone that is supposed to be secure and that uses
> opt-in will only have it's secured RRs visible.
>
> For the generic case 2535 verifiers will have a problem with OPT-IN.

You are right when it comes to an opt-in zone, indicated secure by its
parent. 2535 verifiers will have a problem with unsigned data in an opt-in
zone, and they should ! The verifiers don't have a problem with signed
data in an opt-in zone, as it is, eh, 2535-compatible(tm).

In general, non-upgraded verifiers lack new functions. In this case, I
don't see it any different then for example a verifier which can not
handle DS.

You've made a good point though, this is not clearly mentioned in the
draft. We could put in a "transition" section.

Thanks and regards,

Roy



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.