Re: [dane] Draft for serializing DNSSEC chains (01)
"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Mon, 04 July 2011 08:12 UTC
Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41AA621F861B for <dane@ietfa.amsl.com>; Mon, 4 Jul 2011 01:12:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_55=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hyS-psht5wSp for <dane@ietfa.amsl.com>; Mon, 4 Jul 2011 01:12:37 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 617EF21F861A for <dane@ietf.org>; Mon, 4 Jul 2011 01:12:36 -0700 (PDT)
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id p648CXW1023226 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dane@ietf.org>; Mon, 4 Jul 2011 10:12:34 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4E1175F1.4080201@nlnetlabs.nl>
Date: Mon, 04 Jul 2011 10:12:33 +0200
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc14 Lightning/1.0b3pre Thunderbird/3.1.10
MIME-Version: 1.0
To: dane@ietf.org
References: <BANLkTi=REwqsWR8emouLcXa9LXpWomaMoGmTVi3dd-7oQBnFFw@mail.gmail.com>
In-Reply-To: <BANLkTi=REwqsWR8emouLcXa9LXpWomaMoGmTVi3dd-7oQBnFFw@mail.gmail.com>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Mon, 04 Jul 2011 10:12:34 +0200 (CEST)
Subject: Re: [dane] Draft for serializing DNSSEC chains (01)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jul 2011 08:12:38 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Adam, On 07/01/2011 07:16 PM, Adam Langley wrote: > Addressing comments: > > 1) The details of the format have been pulled out from the > verification procedure and the similarities to the DNS wire format > have been highlighted. > 2) A high level procedure for constructing the chains has been added. > > http://tools.ietf.org/html/draft-agl-dane-serializechain-01 It says: Filter the possible entry keys to only include those that have the SEP bit set in the flags. But the RFCs say you MUST NOT distinguish based on the SEP bit. It is for human consumption (and perhaps signer automation). Skip this step and remove this line. Also at other points you check flags, again the SEP flag is not required. Only the ZSK flag, which allows a DNSKEY to sign zone data (required for both KSK and ZSK keys, confusingly), is something to check. In case of algorithm rollover by the zones, you need to pick up one key per algorithm to store. Because some machines may support only one algorithm. A DNAME can simply be treated like you treat the CNAME redirect, but you store the DNAME+RRSIG. (the synthesized CNAME can be omitted since you want to save bytes), then you synthesize the redirect with DNAME rules (replace suffix labels). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOEXXxAAoJEJ9vHC1+BF+NDX0P/39SnNZGNpb3Aga+QnzBpdKY LFeJ9/3cLmjSbls8bazmEU9D37y6N7VcoAjQqjwk22WuzTb4Tedss6d/w5QKJclK 06WUTk05McEHSeQSn8ybY8yXDTQMdP0KruheAPFfDYmmESNaSxr4R4dSspg5WZ4F CqmXexFMuELx1kgooEmTndlhyKNd7gtpko6JKWmbA5pYII0wkmbRrN/MV+eqohDB uSMEOZqi5avT+tMUELZIM5OI7RRz7ULxIeIuKOeHRlonz3Q9m/TwMJvnx7bD83Hf R+zavhpLXGjPoUQyXGe9FvJP+EE4/ZiNGxJEHKpHiUPjyY/V9TEEdAr4yKehN5hF aLkQ6VRpq4Swv7ZREAGETO++DOfEnYkP2o0GQCq8NXQBkdZVJD2dIMNrory8WifQ IprebTpRucVIq6Iv2ckpyQIWSmsy+bX0ngTErvgf4UJM7cPYl0m65ODsxG7yOzWk RWRgrRepuVcUWm1YGIWU0uqG2cJpag6ZYtS4e0z4sX26598uO6FZafsrhdnkIdgp Li+FOs1JLonfZnZtDkOXebzVLnTjsIKQvzz8IKJvPKAiQWu+MiK1brJUloHRB3Wr N7bArSPbrVJ2tEmUaZBq+mu/Xi/sF5jS7d8NXbVkycYixMC48O/edlBVecA8fELD W0kY3VgW2eQnsRurOGQn =Jagm -----END PGP SIGNATURE-----
- [dane] Draft for serializing DNSSEC chains (01) Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains (0… W.C.A. Wijngaards
- Re: [dane] Draft for serializing DNSSEC chains (0… Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains (0… Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains (0… Matt Larson
- Re: [dane] Draft for serializing DNSSEC chains (0… Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains (0… Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains (0… Matt Larson
- Re: [dane] Draft for serializing DNSSEC chains (0… Phillip Hallam-Baker