[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protection of unsecured delegations

To: Roy Arends <Roy.Arends@nominum.com>
Subject: Re: Protection of unsecured delegations
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Date: Thu, 20 Dec 2001 11:02:21 -0500
Cc: namedroppers@ops.ietf.org
In-reply-to: Your message of "Thu, 20 Dec 2001 14:49:03 +0100." <20011220101311.T1182-100000@node10c4d.a2000.nl>

I'd be less concerned about the delegation vs. leaf data issue for
opt-in as long as folks who haven't yet set up fully secured
delegations can opt for 2535-style null key..

I think there needs to be more text on resolver behavior, and, in
particular, a discussion of resolver search paths.

I can see resolvers doing any of:

[a] Do the lookup and only return trusted data.  Not useful to me
until everyone I care about has opted in..

[b] If there's trusted data anywhere on the path, return the first
trusted answer, otherwise return the first non-trusted answer.

[c] Return the first name along the path for which a query returns
some data.

Version [b] provides much better protection of the innocent than [c].

					- Bill


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: Protection of unsecured delegations
  - From: Roy Arends <Roy.Arends@nominum.com>
- Re: Protection of unsecured delegations
  - From: Derek Atkins <warlord@MIT.EDU>

References:
- Re: Protection of unsecured delegations
  - From: Roy Arends <Roy.Arends@nominum.com>

Prev by Date: Re: Protection of unsecured delegations
Next by Date: Re: Protection of unsecured delegations
Previous by thread: Re: Protection of unsecured delegations
Next by thread: Re: Protection of unsecured delegations
Index(es):
- Date
- Thread