IETF Logo Mail Archive

Re: draft-arends-dnsnr-00

Roy Arends <roy@dnss.ec> Fri, 30 July 2004 07:58 UTC

From: Roy Arends <roy@dnss.ec>
Subject: Re: draft-arends-dnsnr-00
Date: Fri, 30 Jul 2004 09:58:02 +0200
Lines: 64
Sender: owner-namedroppers@ops.ietf.org
References: <Pine.BSO.4.56.0407121709550.12231@trinitario.schlyter.se> <Pine.GSO.4.55.0407271136500.5963@filbert> <Pine.BSO.4.56.0407271741320.11200@trinitario.schlyter.se> <Pine.GSO.4.55.0407271447030.16911@filbert> <Pine.BSO.4.56.0407280912300.11025@trinitario.schlyter.se> <a06020411bd2f0d31ad02@[192.136.136.102]>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: namedroppers@ops.ietf.org
X-From: owner-namedroppers@ops.ietf.org Fri Jul 30 10:10:39 2004
Return-path: <owner-namedroppers@ops.ietf.org>
X-X-Sender: roy@trinitario.schlyter.se
To: Edward Lewis <edlewis@arin.net>
In-Reply-To: <a06020411bd2f0d31ad02@[192.136.136.102]>
Precedence: bulk
X-Message-ID:
Message-ID: <20140418071907.2560.75836.ARCHIVE@ietfa.amsl.com>

On Thu, 29 Jul 2004, Edward Lewis wrote:

> I hope there's time to talk about this in San Diego (outside the
> meeting) - reading the doc and the ensuing thread has given me a
> headache. ;)

Lets do beer.

> I thought the draft was introducing a new requirement for authoritative
> non-existence, not needing to cover unsecured delegation points.  I
> thought this was about lightening the load on "widely delegated" zones
> (eliminating the need to include "NXT's" for un-DS'd delegations).

Yes. That is one of the requirements.

> But the thread started on this non-repudiation thing I couldn't make
> heads of tails of.  To someone - you're right.  To many negatives in
> the there somewhere.

I don't thing you're not right. ;)

So, yeah, I changed the name to NSEC3 to avoid confusion.

> Of course I can sign "www.example.com A" and *then* sign a statement
> that I didn't - and still be valid.

You can, but it wouldn't be valid. It is not that atomic. If you'd sign
"www.example.com A" you should sign a statement that you did, then serve
it as a whole. A MUST, not even a SHOULD.

Since that is called "authenticated denail of existence", a statement like
Authenticated denial of existence is a statement that is either
true or false. A one bit thing. Inverse the statement and it would be
authenticated proof of existence. The law of the Excluded Middle as Paul
Vixie pointed out.

So I looked for a meta-term that did not have the word 'existence',
'absence' nor 'denial' since that would discriminate half of the
statement.

Since a statement was signed to proof absence or existence, as a method to
avoid that statement being repudiated by anyone (by simply replacing a
positive response by negative response), I used the term non-repudiation.
Maybe ill-chose, maybe not, it doesn't matter, the term is now NSEC3.
Small gesture for the purpose of clarity.

> It's okay so long as I remove the "www.example.com A" when I sign again.
> ;) And, through the magic of caching, both statements can be floating in
> the ether simultaneously.

Yes, that is an operational thing. If it hurts to much, fiddle TTL.

> And that's why the non-repudiation stuff makes no sense to me.

No more non-repudiation for me. I'm a little scared to be drowned in the
marina for bringing back Opt-In.

Roy

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email