[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC Opt-In Q: unsigned delegations with opt-in NXTs?

To: David Blacka <davidb@verisignlabs.com>
Subject: Re: DNSSEC Opt-In Q: unsigned delegations with opt-in NXTs?
From: Mark.Andrews@isc.org
Date: Fri, 14 Feb 2003 11:00:01 +1100
Cc: namedroppers@ops.ietf.org
In-reply-to: Your message of "Thu, 13 Feb 2003 18:27:58 CDT." <200302131827.58552.davidb@verisignlabs.com>

> There was a pretty important clarification that came up during the
> last workshop that I forgot to put in my list of TODOs for the Opt-In
> draft, and it leads to a question for the working group.
> 
> Q: Should an Opt-In tagged NXT record be able to have the same name as
> an unsigned delegation?

	Yes.  Nothing in optin should preclude a standard insecure
	delegation.
 
> That is, can you have a zone fragment that looks like this:
> 
> a.example IN A 1.1.1.1
>           IN SIG (A) ...
>           IN NXT b.example A SIG (opt-in)
>           IN SIG (NXT) ...
> b.example IN NS ns.example
>           IN NXT c.example NS SIG (opt-in)
> c.example IN NS ns2.example
>           IN DS ....
>           IN SIG (DS) ...
>           IN NXT ... NS DS SIG (opt-in)
>           IN SIG (NXT) ...
> 
> This case is not addressed at all in the draft, and can lead to
> interoperability problems.
> 
> Some reasons why (explictly) allowing this case might be a good thing:
> 
> * There seems to be no protocol reason why this would not be OK.
> 
> * Some folks might like to have "proof of existence" available in the
>   opt-in zone without having to secure their zone, for whatever
>   reason.
> 
> Some reasons why disallowing this might be good:
> 
> * This state offers no real security benefit: any attack that could be
>   accomplished before against the delegation name are still possible
>   via slightly different attack technique.
> 
> * This may complicate implementations and analysis, although I think
>   that this is unlikely.
> 
> At this moment, I personally feel that this case should be allowed,
> but I don't feel very strongly about it.
> 
> -- 
> David Blacka    <davidb@verisignlabs.com> 
> Sr. Engineer    Verisign Applied Research
> 
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: DNSSEC Opt-In Q: unsigned delegations with opt-in NXTs?
  - From: Edward Lewis <edlewis@arin.net>

References:
- DNSSEC Opt-In Q: unsigned delegations with opt-in NXTs?
  - From: David Blacka <davidb@verisignlabs.com>

Prev by Date: DNSSEC Opt-In Q: unsigned delegations with opt-in NXTs?
Next by Date: Re: Summary RE: DNSEXT WGLC: DNSSEC Opt-in
Previous by thread: DNSSEC Opt-In Q: unsigned delegations with opt-in NXTs?
Next by thread: Re: DNSSEC Opt-In Q: unsigned delegations with opt-in NXTs?
Index(es):
- Date
- Thread