[Dnssec-deployment] opt out in leaf zones (was: DNSSEC for .nz, status update)
pk at ISOC.DE
Fri Nov 25 15:13:28 EST 2011
On Fri, Nov 25, 2011 at 10:41:32AM -0500, Andrew Sullivan wrote:
> think it means "technical benefit". If opt-out allows you to tell
> people, "We support this privacy feature," even if you know perfectly
> well that the "feature" is useless in the context, it can cut off
I'm not sure I understand you correctly, but why would 'opt-out'
make NSEC3 more of a privacy feature than 'vanilla' NSEC3?
The usefulness of NSEC3 in the standard APEX+"www"+"mail" zone
can be questioned already but opt-out in a leaf zone not only
may not save much, it could also add the risk of loss of authenticated
denial of existence, where that might be more important somewhere
down the tree than at the TLD (or equivalent) level. I.e., it is
probably still easier to just register an SLD right away than
spoofing it into existence. That property might not hold in
other parts of the name space.
More information about the Dnssec-deployment