[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protection of unsecured delegations

To: Ólafur Guðmundsson <ogud@ogud.com>
Subject: Re: Protection of unsecured delegations
From: Randy Bush <randy@psg.com>
Date: Wed, 19 Dec 2001 14:14:24 -0800
Cc: namedroppers@ops.ietf.org
References: <5.1.0.14.2.20011219165423.023f2aa0@localhost>

> The strongest argument I have heard against OPT-in is that
> "OPT-in removes the protection of the innocent get with DNSSEC".

not exactly.  it has been generally phrased as

    it changes the basic security model of dnssec from a secure signed
    zone to a collection of signed and unsigned rrsets, and we do not
    _fully_ understand the implications of this from the security pov,
    but some security folk have expressed serious concern.

your message does explore some of the implications.  but i hope smb and
others will express their concerns so that i can understand them.

randy


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: Protection of unsecured delegations
  - From: Roy Arends <Roy.Arends@nominum.com>

References:
- Protection of unsecured delegations
  - From: Ólafur Guðmundsson <ogud@ogud.com>

Prev by Date: Protection of unsecured delegations
Next by Date: Version of mDNS document for review
Previous by thread: Protection of unsecured delegations
Next by thread: Re: Protection of unsecured delegations
Index(es):
- Date
- Thread