[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Transition from 2535 to opt-in

To: <namedroppers@ops.ietf.org>
Subject: Re: Transition from 2535 to opt-in
From: Roy Arends <Roy.Arends@nominum.com>
Date: Thu, 6 Dec 2001 12:46:38 +0100 (CET)
Cc: <lewis@tislabs.com>, <ted@tednet.nl>

On Wed, 5 Dec 2001, Edward Lewis wrote:

> At 5:50 AM -0500 12/5/01, Ted Lindgreen wrote:
> >OptIn: if OptIn, why not just forget NXT?
>
> The question of whether "authenticated denial is desired" has been answered
> "yes" a number of times over the past year or so  The question has been
> raised by the WG chair on the list and in person at London.  So it appears
> that there is a desire to provide the service.  (Why?  I don't know)

Why ?

In a secured world I want cryptographic proof that somebank.info does not
exist if asked for. Simply handing over an NXDOMAIN status doesn't cut it,
anyone could give me that status, and there is nothing to cryptographicly
verify. Would make a beauty of a DoS if it did.

> Opt-In allows those who want authenticated denial to have that service.
> Because opt-in has a means to indicate when it is in use, there is no
> ambiguity on the part of the resolver when it comes to understanding the
> situation.  Signalling opt-in is done by the lack of the NXT bit in the NXT
> RRDATA's type bitmap.  I think this is a solid but expensive way to
> indicate the status.
>
> Solid in terms of its indication - there is only one bit involved to
> comunicate yes/no, so there is no conflict possible in the resolver's
> processing.  Unlike trying to tag the zone key set to indicate the way a
> zone operates, which means multiple bits indicating a yes/no status, this
> indication leave no room for ambiguity.
>
> Expensive in that this mechanism can only be done once.  If we use the NXT
> bit in the bitmap for this purpose, it can't be done again.

Solid indeed, expensive ? The rfc2535-NXT design was expensive to begin
with.  It's a close design, not open to extend anything. And that the NXT
is absolutely neccessary right now is even worse. How do you replace that
in the future ? Very hard to do.

If we would design a new NXT (lets call it NEX for argument sake), how and
where do we signal between NXT and NEX and NO records if at least one of
them is mandatory. In the SEC record ? And how do we give authenticated
denial for that SEC record. Would that be done with NXT, NEX or NO ? And
where would that be signalled ? In the parent ? Am I going in loops ?

The above is the real reason why opt-in moved from signalling by KEY to
signalling by NXT (the reason I wrote the no-sig draft).

The current NXT design can be extended by simply assigning pseudo-RRtypes
(huh?, yep!). Types that only exist in the type-bit-map of a NXT record
(the original NO-SIG design), but then again, that would be even an uglier
hack than using the redundant NXT bit in the type-bit-map.

Proposing to design a new NXT type (=add a few more years) from the ground
up would probably get me shot in SLC by some religious DNSSEC fanatic.

Time is the most expensive protocol of all.

Roy Arends

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: Transition from 2535 to opt-in
  - From: Paul A Vixie <vixie@vix.com>

Prev by Date: Re: Transition from 2535 to opt-in
Next by Date: Re: Transition from 2535 to opt-in
Prev by thread: Re: Transition from 2535 to opt-in
Next by thread: Re: Transition from 2535 to opt-in
Index(es):
- Date
- Thread