Re: DS and Opt-in - a proposal

["Olaf M. Kolkman" <olaf@ripe.net>]

On Fri, 28 Dec 2001 11:14:01 +0100 (CET)
Roy Arends <Roy.Arends@nominum.com> wrote:

> 
> Restricting the use would be possible, but is, in reality, useless. If I
> could not leave a single name (end node) unsigned, I might delegate it
> away as an unsigned zone.
> 

That is indeed possible, just as it is possible in RFC 2535. But, it
is clear what the status of the delegated zone is. All records are
verifiable unsecure. 

If we want to secure the infrastructure we should build a protocol
that goes for maximum effect. My argument is that OPT-IN in
non-delegating zones will help in building a PKI but not secure the
infrastructure.

Administrators of large caches will not turn verification on if only a
few records in a few zones are signed; It is to expensive to
troubleshoot and there is little to gain.  I think we are far from
having the applications or their host os-es doing their own
verification, so if administrators do not turn their caches into
verifying caches then DNSSEC has failed to secure the infrastructure.

The other interest group, users that want to use the DNS as a PKI, will
not suffer from OPT-IN. The verification will be done by the specially
designed applications. They are not interested in fully signed zones,
they just want to get to that one RR and need to verify it.

I can live with OPT-IN if it is designed to be a transition mechanism
for g|tLDs. If it is designed to be used throughout the whole tree
DNSSEC will loose. 


--Olaf



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.