> One of the possibility obviously is signing on the fly (perhaps less > advisable), the other the use of opt-in (still in progress... problematic > domains will have to opt-out), and thirdly to have sig rrs for all > permutations (readily possible).
Edmon, If the DNS servers don't care about potential DoS attacks and having on-line keys then signing on the fly could work. But that is a huge "if". The DoS attack is that anybody can send DNS queries to have the DNS server spend all its CPU generating signatures on the fly. Sure sounds like a bad design from a security and robustness perspective. I don't understand what "opt-in" has to do with IDN. Could you please explain? Your third idea (SIG RRs for all permutations) has a natural follow-on: If you have enough memory/storage for the large SIG RRs for all permutations then the additional memory/storage for the underlying RRs for all permutations will be very small. So in practise this sounds like creating all permutations in the zone file e.g. at registration time. That (or just a subset of all permutations picked at registration time) has the benefit of not requiring any changes to the DNS server software. Erik
