Re: Remarks on draft-stjohns-dnssec-sigonly

[Roy Arends <roy@nominet.org.uk>]

MSJ wrote on 12/20/2006 11:01:28 PM:

> With respect to the item below and 
> draft-ietf-dnsext-dnssec-opt-in-09.txt:  If I'm reading this document 
> correctly, I think my statement still stands (for 4033-4045 for sure 
> and for this document maybe).  What the document does is replace a 
> chain of NSEC (delegation here, but no DS) records with a single NSEC 
> (no DS records in the span).  The entire namespace of the zone does 
> continue to be signed, but in a summary way.  (Of course, you can put 
> other things in the span besides delegations, but as I read the 
> document - that's not the intent. 

That's indeed not the intent.

> The document is silent on the treatment of other records in the "opt in 
span". 

>From 
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-opt-in-09.txt

4.1.1.  Delegations Only

   This specification dictates that only insecure delegations may exist
   between the owner and "next" names of an Opt-In tagged NSEC record.
   Signing tools MUST NOT generate signed zones that violate this
   restriction.  Servers MUST refuse to load and/or serve zones that
   violate this restriction.  Servers also MUST reject AXFR or IXFR
   responses that violate this restriction.

Regards,

Roy Arends
Nominet UK

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>