[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNSSEC Opt-In Q: unsigned delegations with opt-in NXTs?
There was a pretty important clarification that came up during the
last workshop that I forgot to put in my list of TODOs for the Opt-In
draft, and it leads to a question for the working group.
Q: Should an Opt-In tagged NXT record be able to have the same name as
an unsigned delegation?
That is, can you have a zone fragment that looks like this:
a.example IN A 1.1.1.1
IN SIG (A) ...
IN NXT b.example A SIG (opt-in)
IN SIG (NXT) ...
b.example IN NS ns.example
IN NXT c.example NS SIG (opt-in)
c.example IN NS ns2.example
IN DS ....
IN SIG (DS) ...
IN NXT ... NS DS SIG (opt-in)
IN SIG (NXT) ...
This case is not addressed at all in the draft, and can lead to
interoperability problems.
Some reasons why (explictly) allowing this case might be a good thing:
* There seems to be no protocol reason why this would not be OK.
* Some folks might like to have "proof of existence" available in the
opt-in zone without having to secure their zone, for whatever
reason.
Some reasons why disallowing this might be good:
* This state offers no real security benefit: any attack that could be
accomplished before against the delegation name are still possible
via slightly different attack technique.
* This may complicate implementations and analysis, although I think
that this is unlikely.
At this moment, I personally feel that this case should be allowed,
but I don't feel very strongly about it.
--
David Blacka <davidb@verisignlabs.com>
Sr. Engineer Verisign Applied Research
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>