Re: [idn] Re: Optional & Additional Character Equivalence Preparations by Zone

["Edmon" <edmon@neteka.com>]

----- Original Message -----
From: "Erik Nordmark" <Erik.Nordmark@eng.sun.com>
> If the DNS servers don't care about potential DoS attacks and having
on-line
> keys then signing on the fly could work. But that is a huge "if".
> The DoS attack is that anybody can send DNS queries to have the DNS server
> spend all its CPU generating signatures on the fly.
> Sure sounds like a bad design from a security and robustness perspective.
>
Which is why I said it is not advisable.  But it is a possibility.

> I don't understand what "opt-in" has to do with IDN. Could you please
explain?

Multilingual names that have character equivalency issues will have to
opt-out of DNSSEC.

> Your third idea (SIG RRs for all permutations) has a natural follow-on:
> If you have enough memory/storage for the large SIG RRs for all
permutations
> then the additional memory/storage for the underlying RRs for all
permutations
> will be very small. So in practise this sounds like creating all
permutations
> in the zone file e.g. at registration time.
> That (or just a subset of all permutations picked at registration time)
has the
> benefit of not requiring any changes to the DNS server software.

Erik, honestly, I dont have the exact "best" solution yet.  My point is that
there are "possibilities" and we should not rule the entire thing out just
because it might be a bit difficult.  I really want to stop talking about
this subject on this list, but it seems to me very irresponsible, especially
considering that I am an implementor of this technology that I would have to
tell my customers that:
A.example  is NOT the same as A.example
How can I do that?  Any normal person in this world would not accept this,
yet I am creating a system that force them to accept that.  I could step
back and say, "o well, buyers beware", but it just doesnt seem right.  Do
you think it is right?

Edmon