[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEXT Yokohama Minutes

To: Roy Arends <roy@logmess.com>
Subject: Re: DNSSEXT Yokohama Minutes
From: Olafur Gudmundsson <ogud@ogud.com>
Date: Tue, 3 Sep 2002 17:27:26 -0400 (EDT)
Cc: David Blacka <davidb@verisignlabs.com>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, namedroppers <namedroppers@ops.ietf.org>
In-reply-to: <Pine.LNX.4.44.0209032207440.21459-100000@elektron.atoom.net>


On Tue, 3 Sep 2002, Roy Arends wrote:

> On Tue, 3 Sep 2002, David Blacka wrote:
>
> > >>>>> "ogud" == Olafur Gudmundsson <Olafur> writes:
> >
> >  ogud> This will not happen on my watch, but Opt-in camp needs to
> >  ogud> answer the open questions in their open park.
> >
> > Could somebody please restate the open questions about opt-in?  Feel
> > free to add new open questions.
>
> As I recall, we need to write:
>
> - The impact on: Authoritative servers (but this is already clear in draft
>                  IMHO)
>                  [caching] resolvers (basically the change to the resolver
>                  algorihm)
> - The current issues:
>                  Clear AD-bit on an opt-in response.
>                  (I think this will be taken care of by the "AD-bit is
>                  secure" authors ).

This is for Opt-in to specify, not AD due to dependancy reasons, this
definition is only needed if both AD and Opt-in are part of the standard.

For the record: this relates to use of NXT between the two names
on the NXT (record name and the target name).
In DNSSEC where AD bit is used (either RFC2535 or AD-secure definition),
the AD bit can be set on responce if it is authenticated denial with NXT,
for the QNAME if the
	NXTNAME  == QNAME or (NXTNAME < QNAME and QNAME < NXTargetNAME )

Opt-in NXT must define that this that NXT can only be used when
NXTNAME == QNAME to set the AD bit.

> Some of the above were stated by Olafur last week during the DS workshop,
> others were a result of research by Rob Austein and me (which was
> presented at Yokohama).

Then there is the minor issue of bytes on the wire, are responses
from Opt-in zones smaller/same/larger than from regular DNSSEC zones.

And then there is the issue on memory usage in caches, there was an
assertation that opt-in zones cause more memory consumption than other
DNSSEC zones.

	Olafur



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- NXTNAME? was Re: DNSSEXT Yokohama Minutes
  - From: Edward Lewis <edlewis@arin.net>
- Re: DNSSEXT Yokohama Minutes
  - From: Roy Arends <roy@logmess.com>

References:
- Re: DNSSEXT Yokohama Minutes
  - From: Roy Arends <roy@logmess.com>

Prev by Date: Re: DNSSEXT Yokohama Minutes
Next by Date: Re: DNSSEXT Yokohama Minutes
Previous by thread: Re: DNSSEXT Yokohama Minutes
Next by thread: Re: DNSSEXT Yokohama Minutes
Index(es):
- Date
- Thread