MoinQ:

DNS/DNSSEC/RFC4956について、ここに記述してください。

http://tools.ietf.org/html/rfc4956

Experimental

DNSSEC unsigned delegation

Abstract

   In the DNS security (DNSSEC) extensions, delegations to unsigned subzones are cryptographically secured.
   Maintaining this cryptography is not always practical or necessary. 
   This document describes an experimental "Opt-In" model that allows administrators
   to omit this cryptography and manage the cost of adopting DNSSEC with large zones.

やらなくてもただちに危険という訳ではない。:-)

In DNSSEC, delegation NS RRsets are not signed, but are instead
   accompanied by an NSEC RRset of the same name and (possibly) a DS record. 
The security status of the subzone is determined by the presence or absence of the DS RRset,
   cryptographically proven by the   NSEC record.
Opt-In expands this definition by allowing insecure
   delegations to exist within an otherwise signed zone without the
   corresponding NSEC record at the delegation's owner name.
These insecure delegations are proven insecure by using a covering NSEC record.

insecureだとわかったところで、どうするかはまた別の話ということ。 -- ToshinoriMaeno 2011-06-15 02:50:40