Re: DS and Opt-in - a proposal

[Brian Wellington <bwelling@xbill.org>]

On Thu, 27 Dec 2001, Olaf M. Kolkman wrote:

> On Fri, 21 Dec 2001 15:15:50 -0800
> Olafur Gudmundsson <ogud@ogud.com>, Randy Bush <randy@psg.com> wrote:
> 
> One detail.
>  
> >  o The value of authenticated denial is not clear, for some it is important,
> >    for others it is only a nice but sometimes expensive property.
> 
> I would like to know if there will be a new version of the OPT-in
> draft that allows opt-in only over delegation records? ( I am still
> afraid that 'security status' on a level more granular than zone level
> will make troubleshooting of verifiers a difficult exercise. Reducing
> the usability of OPT-in to delegations only might help to keep
> deployment limited to only the largest (g|c)TLDs. I understood
> 'delegation only' was considdered for a new version of the draft.)

This was suggested on the conference call, but was not generally agreed
upon.  One reasons is that it makes verifiers more complicated, since they
not only need to verify the NXT records, but then additionally verify that
the record is a delegation (granted, this is not too hard).  Also, the
restriction of opt-in to large delegating zones can be seen as a
disadvantage.

If the goal is to restrict the use of opt-in, this would do it, but I
don't know if that's the goal.

Brian



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.