Opt-Out Considerations:

   Note that with or without Opt-Out, an insecure delegation may be
   undetectably altered by an attacker.  Because of this, the primary
   difference in security when using Opt-Out is the loss of the ability
   to prove the existence or nonexistence of an insecure delegation
   within the span of an Opt-Out NSEC3 RR.

   In particular, this means that a malicious entity may be able to
   insert or delete RRs with unsigned names.  These RRs are normally NS
   RRs, but this also includes signed wildcard expansions (while the
   wildcard RR itself is signed, its expanded name is an unsigned name).

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: marka@isc.org