DNS/DNSSEC/RFC4956について、ここに記述してください。
http://tools.ietf.org/html/rfc4956
Experimental
DNSSEC unsigned delegation
Abstract
In the DNS security (DNSSEC) extensions, delegations to unsigned subzones are cryptographically secured. Maintaining this cryptography is not always practical or necessary. This document describes an experimental "Opt-In" model that allows administrators to omit this cryptography and manage the cost of adopting DNSSEC with large zones.
やらなくてもただちに危険という訳ではない。:-)
In DNSSEC, delegation NS RRsets are not signed, but are instead accompanied by an NSEC RRset of the same name and (possibly) a DS record. The security status of the subzone is determined by the presence or absence of the DS RRset, cryptographically proven by the NSEC record. Opt-In expands this definition by allowing insecure delegations to exist within an otherwise signed zone without the corresponding NSEC record at the delegation's owner name. These insecure delegations are proven insecure by using a covering NSEC record.
insecureだとわかったところで、どうするかはまた別の話ということ。 -- ToshinoriMaeno 2011-06-15 02:50:40