opt-in is a method to disable the authenticated denial of existence
for a range of domain names in a zone. It has been developed to
generate a sparse set of NSEC RRs in a zone that contains mostly
delegations i.e. to opt-in the secure delegations. The span of
delegations for which authenticated denial is not available is still
indicated using an NSEC resource record. 'NSEC-bit' in the type
bitmap of the NSEC RDATA is used to signal the different semantic of
the opt-in type NSEC RR.
opt-in is a methodology that is backwards incompatible with DNSSEC; in
order to perform a trial the methodology described in
draft-ietf-dnsext-dnssec-experiments is applied.
Working Group Summary
A couple of years ago this document had thourough technical review
around 2002. This version of the document has been slightly updated
to reflect changes to DNSSEC since 2002 and to turn it into an experiment
of the form described in draft-ietf-dnsext-dnssec-experiments.
During the development of the OPT-IN spec before and in 2002 there has
been in depth review and feedback by several core members of the working
group. At that time the consensus was that the document was
technologically solid but there was no consent the mechanism.
This time around the views of many folk have changed and they do not have
any problems with the OPT-IN technology going forward as an experiment.
The same functionality is introduced work currently in DNSEXT NSEC3.
The document has been reviewed by
he is one of the initial editors)
and dnsext chair Olaf Kolkman.
There has been some discussion after we advanced the document in which it
became clear that Ed Lewis also reviewed the document and supported