[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNSSEXT Yokohama Minutes
On Wed, 4 Sep 2002, Roy Arends wrote:
> On Tue, 3 Sep 2002, Brian Wellington wrote:
>
> > On Wed, 4 Sep 2002, Roy Arends wrote:
> >
> > > > And then there is the issue on memory usage in caches, there was an
> > > > assertation that opt-in zones cause more memory consumption than other
> > > > DNSSEC zones.
> > >
> > > This is true,
> > >
> > > A positive response with Opt-in holds: QTYPE+NXT+SIG(NXT).
> > >
> > > A positive response without Opt-in holds: QTYPE+SIG(QTYPE).
> >
> > The positive response with opt-in also needs to contain proof that there's
> > no secure wildcard, otherwise secure wildcards can be spoofed away. This
> > will mean another SIG and SIG(NXT) in almost every case.
>
> No, you don't need proof for wildcards.
>
> If I was to spoof a resolver, proof of [non-]existence of secure wildcards
> does not prevent or help me do that.
>
> If you asked for something in an unsecured interval, all bets are off.
>
> Remember that this is for delegations only. Are you suggesting proof
> of [absent] signed wildcard delegations ?
Note that wildcards are in a zone, delegation points are outside a zone,
therefor you can't use wildcard delegations, and thus no proof for
existing wildcard delegation is needed.
roy
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>