> That's not really helpful now, is it. I can't go anywhere else to look it > up (it's the only authoritative place in town) and I'm left with a > statement that "hall.city exists" To put it another way, in an opt-in zone, a middleman can take a domain name that does not exist and make it appear that an unsecure domain exists at that name. This is not considered a big deal at the TLD level, because even under RFC 2535, a middleman could do that with the following four steps: 1. Go to www.nsi.com 2. Type the nonexistant domain into the textbox and press enter 3. Pay $35 4. Point your new unsecure domain anywhere you'd like However, this is a concern at other levels. For example, if ibm.com was opt-in, a middleman could make it look like an unsecure delegation called corporate.ibm.com existed and thereby make it look like his computers were part of IBM's network. But that's the security tradeoff you make when your zone is opt-in. I think that end user zones SHOULD NOT be opt-in, but whether they MUST NOT be is up for debate. Which is less of a headache? So far, i'm not sure. -- Mike Schiraldi VeriSign Applied Research
Attachment:
smime.p7s
Description: application/pkcs7-signature