Re: DS and Opt-in - a proposal

[Paul Vixie <paul@vix.com>]

> From: "Olaf M. Kolkman" <olaf@ripe.net>
> ...
> The reason is that securing the DNS as a whole is IMHO the whole
> purpose of the game. If we allow administrators to sign only a few RRs
> in a zone (which we do with non restricted OPT-IN) then we might end
> up in a situation where only the records that might be useful in a PKI
> context are signed.
> 
> If we want to secure the DNS then security should not be optional on
> RR level because then the path of least resistance will be chosen and
> we end up with only a few RRs signed in each zone.
> ...

>From a zone administrator's point of view, given the tools I know exist
today and which I expect will be created within the first few years, it
is _vastly_ less resistive to sign the whole zone than to sign just parts
of it related to PKI.

I agree with your goals.  Let's secure the infrastructure.  However, the
way the bits are falling out is that restricting opt-in to delegations 
would *add* complexity, and only for administrative/nontechnical reasons.
Even though DNSSEC doesn't demonstrate much in the way of good protocol
design, there remains a principle of good protocol design to "put in only
what you need."  Your proposal would be an addition, and it isn't needed
since zone administrators *can* secure the whole infrastructure without it.


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.