Hi Andrew -

Thanks for the thoughtful analysis.

With respect to off-tree signatures - a zone admin could add an
off-tree pointer at any point in a hierarchy and then you could rely
upon the pointer if the validator actually got it. The problem is
that without some external flag (in PNE - that's the set of trust
anchors) - the resolver doesn't even know the hierarchy should be
signed; a simple deletion of the off-tree pointer would put the zone
back into unsecure status. If you added this, you'd be basically
creating something about half way between PNE and SO - maybe a
reasonable idea, but my guess is that it makes the PNE validator even
more complex. :-) It would definitely change the security model at
least as much as SO does.

With respect to the item below and
draft-ietf-dnsext-dnssec-opt-in-09.txt: If I'm reading this document
correctly, I think my statement still stands (for 4033-4045 for sure
and for this document maybe). What the document does is replace a
chain of NSEC (delegation here, but no DS) records with a single NSEC
(no DS records in the span). The entire namespace of the zone does
continue to be signed, but in a summary way. (Of course, you can put
other things in the span besides delegations, but as I read the
document - that's not the intent. The document is silent on the
treatment of other records in the "opt in span". It would be
interesting to try and figure out what the proper behavior for a
normal, non-delegation (e.g. not NS, not DS, not glue A) record in
that space would be - my guess is that anything in the span is
subject to a deletion attack.

What I meant by partial signing was the ability to sign only one or a
few RRSets (e.g. the MX records plus the referred to A records plus
the DNSKEY records) - the ones I really might want people to care
about - and still have a validly signed zone. I *think* if you did
opt in, and did an opt nsec record "zonename nsec zonename" - you
*might* get the same behavior? Again, hard to tell as the document
really doesn't talk about non-delegation records.


At 04:09 PM 12/20/2006, Andrew Sullivan wrote:
>I also don't buy the following claim, in signonly:
> o Zones must be signed on an "all or nothing" basis. It's
> impossible to sign just a portion of the data in the zone.
>DNSSEC-bis could have been made to work this way, as the opt-in
>proposal (now being advanced as experimental) shows. Since opt-in is
>included in NSEC3, it is certainly possible to sign just a portion of
>the data in the zone, at least for some meaning of "sign just a
>portion." Perhaps I have misunderstood the intent or import of this

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.