W3C home > Mailing lists > Public > ietf-discuss@w3.org > February 2002

App/DNS question

From: Ted Hardie <Ted.Hardie@nominum.com>
Date: Mon, 25 Feb 2002 10:07:01 -0800
To: discuss@apps.ietf.org
Message-ID: <20020225100701.C30137@shell.nominum.com>
	It turns out that the DNSEXT working group and the APPS open
meeting are in the same time slot at the next IETF.  There is an issue
on the plate of the DNSEXT working group that may be of concern to
APPS folks, so I encourage folks to read the salient drafts and
consider comments to the chairs and working group on the issue.
	As many of you know, the DNSEXT working group is currently
working on several revisions to the DNSSEC specs.  It hopes that after
those revisions have gone through that several barriers to the use of
DNSSEC will be lowered enough that we will see significant deployment.
One of the current proposals, "opt-in",
proposes a mechanism by which a zone could have both secured and
unsecured nodes (collections of RRs associated with a specific name).
The mechanism by which it does this eliminates one of the data
integrity elements of the original DNSSEC specs: authenticated denial
of existence for an unsecured node.  Denial of existence in this model
would remain more or less as it is in the current DNS (an unsigned
	Though there has been some security review of the loss of this
element of DNSSEC, there hasn't been much review by APPS folks, and I
believe that would be useful.  The basic question is: if the DNS data
integrity model assures that the data returned by a query is the data
placed in the DNS by the zone administrator, but does not provide data
integrity for denial of existence of nodes in opt-in zones, will it
meet the security requirements of your application? 
	Any thought you can put into the question would be appreciated.
				Ted Hardie

Received on Monday, 25 February 2002 20:59:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:08:14 UTC