> Now convince me that an opt-in DNSSEC solution really will hurt, > security-wise. To clarify the issue here. The one difference in the security of a fully signed zone and an Opt-in zone is that if the zone is fully signed and contains the domains A, B, D it is not possible to insert a zone C. If however the zone is an opt-in zone and B is not signed so the NXT record spans A->D it is possible to insert a record C. While such an attack may be an issue in some zones it is not an issue in dotcom since anyone can insert a record C at will by paying $35 or so for the unused name. So perhaps we need the appropriate statement in the RFC to the effect don't use this if the attack is significant. However I strongly suspect that no domain is going to grow to very large size if it is hard to insert records through the kocher procedures. Phill Phillip Hallam-Baker FBCS C.Eng. Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227
Attachment:
Phillip Hallam-Baker (E-mail).vcf
Description: Binary data