For the same reasons as the thread on CDN, (ie, not of core interest), this thread is also out of scope so please bring it offline. I already give you my comments offline.
Thanks! -James Seng ----- Original Message ----- From: "Edmon" <[EMAIL PROTECTED]> To: "Erik Nordmark" <[EMAIL PROTECTED]> Cc: "Patrik F�ltstr�m" <[EMAIL PROTECTED]>; "Masahiro Sekiguchi" <[EMAIL PROTECTED]>; "IETF-IDN" <[EMAIL PROTECTED]> Sent: Friday, January 25, 2002 12:14 AM Subject: Re: [idn] Re: Optional & Additional Character Equivalence Preparations by Zone > ----- Original Message ----- > From: "Erik Nordmark" <[EMAIL PROTECTED]> > > If the DNS servers don't care about potential DoS attacks and having > on-line > > keys then signing on the fly could work. But that is a huge "if". > > The DoS attack is that anybody can send DNS queries to have the DNS server > > spend all its CPU generating signatures on the fly. > > Sure sounds like a bad design from a security and robustness perspective. > > > Which is why I said it is not advisable. But it is a possibility. > > > I don't understand what "opt-in" has to do with IDN. Could you please > explain? > > Multilingual names that have character equivalency issues will have to > opt-out of DNSSEC. > > > Your third idea (SIG RRs for all permutations) has a natural follow-on: > > If you have enough memory/storage for the large SIG RRs for all > permutations > > then the additional memory/storage for the underlying RRs for all > permutations > > will be very small. So in practise this sounds like creating all > permutations > > in the zone file e.g. at registration time. > > That (or just a subset of all permutations picked at registration time) > has the > > benefit of not requiring any changes to the DNS server software. > > Erik, honestly, I dont have the exact "best" solution yet. My point is that > there are "possibilities" and we should not rule the entire thing out just > because it might be a bit difficult. I really want to stop talking about > this subject on this list, but it seems to me very irresponsible, especially > considering that I am an implementor of this technology that I would have to > tell my customers that: > A.example is NOT the same as A.example > How can I do that? Any normal person in this world would not accept this, > yet I am creating a system that force them to accept that. I could step > back and say, "o well, buyers beware", but it just doesnt seem right. Do > you think it is right? > > Edmon > >
