----- Original Message ----- From: "Erik Nordmark" <[EMAIL PROTECTED]> > If the DNS servers don't care about potential DoS attacks and having on-line > keys then signing on the fly could work. But that is a huge "if". > The DoS attack is that anybody can send DNS queries to have the DNS server > spend all its CPU generating signatures on the fly. > Sure sounds like a bad design from a security and robustness perspective. > Which is why I said it is not advisable. But it is a possibility.
> I don't understand what "opt-in" has to do with IDN. Could you please explain? Multilingual names that have character equivalency issues will have to opt-out of DNSSEC. > Your third idea (SIG RRs for all permutations) has a natural follow-on: > If you have enough memory/storage for the large SIG RRs for all permutations > then the additional memory/storage for the underlying RRs for all permutations > will be very small. So in practise this sounds like creating all permutations > in the zone file e.g. at registration time. > That (or just a subset of all permutations picked at registration time) has the > benefit of not requiring any changes to the DNS server software. Erik, honestly, I dont have the exact "best" solution yet. My point is that there are "possibilities" and we should not rule the entire thing out just because it might be a bit difficult. I really want to stop talking about this subject on this list, but it seems to me very irresponsible, especially considering that I am an implementor of this technology that I would have to tell my customers that: A.example is NOT the same as A.example How can I do that? Any normal person in this world would not accept this, yet I am creating a system that force them to accept that. I could step back and say, "o well, buyers beware", but it just doesnt seem right. Do you think it is right? Edmon
