Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

Mark Andrews <marka@isc.org> Fri, 11 March 2011 04:06 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31CB13A6B63 for <dnsext@core3.amsl.com>; Thu, 10 Mar 2011 20:06:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, J_CHICKENPOX_44=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYDqhLYiNLya for <dnsext@core3.amsl.com>; Thu, 10 Mar 2011 20:06:14 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by core3.amsl.com (Postfix) with ESMTP id 4E0723A680D for <dnsext@ietf.org>; Thu, 10 Mar 2011 20:06:14 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id CF1F3C941A; Fri, 11 Mar 2011 04:07:22 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 690F0216C31; Fri, 11 Mar 2011 04:07:22 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id E9EC1C36A68; Fri, 11 Mar 2011 15:07:19 +1100 (EST)
To: "Stephan Lagerholm" <stephan.lagerholm@secure64.com>
From: Mark Andrews <marka@isc.org>
References: <C99C3502.72B1%roy@nominet.org.uk> <alpine.LSU.2.00.1103082030190.5244@hermes-1.csi.cam.ac.uk><20110309133017.GA19809@odin.mars.sol><4D778C86.4020105@ogud.com> <DD056A31A84CFC4AB501BD56D1E14BBB9CC7CB@exchange.secure64.com> <3D41A425A17444EA8EEE8C78DD18D3E9@local> <DD056A31A84CFC4AB501BD56D1E14BBB9CC7FC@exchange.secure64.com> <20110310233332.C6406C0F4D4@drugs.dv.isc.org> <DD056A31A84CFC4AB501BD56D1E14BBB9CC828@exchange.secure64.com>
In-reply-to: Your message of "Thu, 10 Mar 2011 18:57:31 PDT." <DD056A31A84CFC4AB501BD56D1E14BBB9CC828@exchange.secure64.com>
Date: Fri, 11 Mar 2011 15:07:19 +1100
Message-Id: <20110311040719.E9EC1C36A68@drugs.dv.isc.org>
Cc: dnsext@ietf.org, Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2011 04:06:15 -0000

In message <DD056A31A84CFC4AB501BD56D1E14BBB9CC828@exchange.secure64.com>om>, "Ste
phan Lagerholm" writes:
> Mark,
> 
> >Running DS throug a really old version of DiG produces this:
> >
> >isc.org.		20h56m50s IN TYPE43  \# 36 (	; unknown RR
> type
> >	32 5c 05 02 f1 e1 84 c0 e1 d6 15 d2 0e b3 c2 23 ;
> 2\.............#
> >	ac ed 3b 03 c7 73 dd 95 2d 5f 0e b5 c7 77 58 6d ;
> ..;..s..-_...wXm
> >	e1 8d a6 b5 )					; ....
> >isc.org.		20h56m50s IN TYPE43  \# 24 (	; unknown RR
> type
> >	32 5c 05 01 98 21 13 d0 8b 4c 6a 1d 9f 6a ee 1e ;
> 2\...!...Lj..j..
> >	22 37 ae f6 9f 3f 97 59 )			; "7...?.Y
> >
> >The key id is 0x325c (12892), the algorithm in 5 and the hashs are 2
> >for the first and 1 for the second.
> 
> Our definition of what "display it in a meaningful way" differs. If a
> new flag was used instead, then no changes to dig or any other program
> would be needed:
> 
>                         VVVV                    VVV
> isc.org.                5361    IN      DNSKEY  512 3 5
> BEAAAAO6L6BadeFzvt6J63GD
> GrFANfJAitCd9Njcj49y6PE1Bv6t33sE
> yxSVi4KWbjQgViMCxAArxP0IhDLhYFGbsU2ugkQ4UMFCPgY
> IVxC1yvBw 1Gt7p+SBQU9qX+Il/cqYTJWQkWRdDPHJoaMT1+f7e6YLlntxpl+M7yw3
> aOEbCByPzw=3D=3D

The on going costs of trying to do this with DNSKEY flags completely
overwhelms the one off costs of add a new type.  DNSKEY flags change
key ids.  Revoke is already a mess as it changes the keyid.  Adding
a second changing flag to the mix is just not on.

I can add CDS to BIND in 10 minutes once I have the type code.
It would be weeks of work to add the key flags as you need to do
thinks like compute the signatures with and without the flag in
place or fully work out all the timing issues.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org