[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-weiler-dnsext-dnssec-2535-compat-00.txt

To: Roy Arends <roy@logmess.com>
Subject: Re: draft-weiler-dnsext-dnssec-2535-compat-00.txt
From: Sam Weiler <weiler@tislabs.com>
Date: Sun, 2 Mar 2003 23:35:59 -0500 (EST)
Cc: <namedroppers@ops.ietf.org>
In-reply-to: <Pine.LNX.4.53.0303021732530.13838@elektron.atoom.net>

On Sun, 2 Mar 2003, Roy Arends wrote:
>
> Proposing new DNSSEC RR type codes implies upgrading resolvers,
> which seems to be exactly what you wanted to avoid.

DS already forces resolvers to upgrade if they want DNSSEC validation.

I'm trying to make sure that resolvers that don't understand DS at
least get (and don't discard) insecure answers.  The problem described
causes legacy resolvers to discard good data from signed zones.  If
that were likely to happen, some zones (cnn.com. being my favorite
example) would REALLY not want their parent to be signed.  I don't
want to see the CNN's of the world lobbying to keep .com from being
signed.

-- Sam

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: draft-weiler-dnsext-dnssec-2535-compat-00.txt
  - From: Roy Arends <roy@logmess.com>

References:
- Re: draft-weiler-dnsext-dnssec-2535-compat-00.txt
  - From: Roy Arends <roy@logmess.com>

Prev by Date: Re: draft-weiler-dnsext-dnssec-2535-compat-00.txt
Next by Date: Re: Q-6: May security-aware resolvers cache "Bad" data?
Previous by thread: Re: draft-weiler-dnsext-dnssec-2535-compat-00.txt
Next by thread: Re: draft-weiler-dnsext-dnssec-2535-compat-00.txt
Index(es):
- Date
- Thread