- From: Ted Hardie <Ted.Hardie@nominum.com>
- Date: Mon, 25 Feb 2002 10:07:01 -0800
- To: discuss@apps.ietf.org
Hi, It turns out that the DNSEXT working group and the APPS open meeting are in the same time slot at the next IETF. There is an issue on the plate of the DNSEXT working group that may be of concern to APPS folks, so I encourage folks to read the salient drafts and consider comments to the chairs and working group on the issue. As many of you know, the DNSEXT working group is currently working on several revisions to the DNSSEC specs. It hopes that after those revisions have gone through that several barriers to the use of DNSSEC will be lowered enough that we will see significant deployment. One of the current proposals, "opt-in", (http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-opt-in-01.txt) proposes a mechanism by which a zone could have both secured and unsecured nodes (collections of RRs associated with a specific name). The mechanism by which it does this eliminates one of the data integrity elements of the original DNSSEC specs: authenticated denial of existence for an unsecured node. Denial of existence in this model would remain more or less as it is in the current DNS (an unsigned assertion). Though there has been some security review of the loss of this element of DNSSEC, there hasn't been much review by APPS folks, and I believe that would be useful. The basic question is: if the DNS data integrity model assures that the data returned by a query is the data placed in the DNS by the zone administrator, but does not provide data integrity for denial of existence of nodes in opt-in zones, will it meet the security requirements of your application? Any thought you can put into the question would be appreciated. regards, Ted Hardie
Received on Monday, 25 February 2002 20:59:56 UTC