Re: DS and Opt-in - a proposal

[Roy Arends <Roy.Arends@nominum.com>]

On Thu, 27 Dec 2001, Olaf M. Kolkman wrote:

> On Fri, 21 Dec 2001 15:15:50 -0800
> Olafur Gudmundsson <ogud@ogud.com>, Randy Bush <randy@psg.com> wrote:
>
> One detail.
>
> >  o The value of authenticated denial is not clear, for some it is important,
> >    for others it is only a nice but sometimes expensive property.
>
> I would like to know if there will be a new version of the OPT-in
> draft that allows opt-in only over delegation records? ( I am still
> afraid that 'security status' on a level more granular than zone level
> will make troubleshooting of verifiers a difficult exercise. Reducing
> the usability of OPT-in to delegations only might help to keep
> deployment limited to only the largest (g|c)TLDs. I understood
> 'delegation only' was considdered for a new version of the draft.)

We are not talking about authenticated [denial of] existence in general,
only about authenticated [denial of] existence of unsecured names.

Imagine going into a tourist office (.city), the only authoritative
place in town to get the authenticatable, verifiable information from.

I ask for the address of "hall.city".

The "hall.city" delegation is not secured.

The clerk is going to tell me "it exist".......

That's not really helpful now, is it. I can't go anywhere else to look it
up (it's the only authoritative place in town) and I'm left with a
statement that "hall.city exists"

(I knew it existed, that's why I came in that office for the address in
the first place)

I call that "false sense of security".

Oh, and "we" are not giving anything up, "we" give a choice to the
domain holder.

Roy



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.