Re: [idn] Re: Optional & Additional Character Equivalence Preparations by Zone

[Erik Nordmark <Erik.Nordmark@eng.sun.com>]

> One of the possibility obviously is signing on the fly (perhaps less
> advisable), the other the use of opt-in (still in progress... problematic
> domains will have to opt-out), and thirdly to have sig rrs for all
> permutations (readily possible).

Edmon,

If the DNS servers don't care about potential DoS attacks and having on-line
keys then signing on the fly could work. But that is a huge "if".
The DoS attack is that anybody can send DNS queries to have the DNS server
spend all its CPU generating signatures on the fly.
Sure sounds like a bad design from a security and robustness perspective.

I don't understand what "opt-in" has to do with IDN. Could you please explain?

Your third idea (SIG RRs for all permutations) has a natural follow-on:
If you have enough memory/storage for the large SIG RRs for all permutations
then the additional memory/storage for the underlying RRs for all permutations
will be very small. So in practise this sounds like creating all permutations
in the zone file e.g. at registration time.
That (or just a subset of all permutations picked at registration time) has the
benefit of not requiring any changes to the DNS server software.

   Erik