Re: [dnsext] DNSSEC, robustness, and several DS records

Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 12 May 2011 08:03 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCBEBE0746 for <dnsext@ietfa.amsl.com>; Thu, 12 May 2011 01:03:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.249
X-Spam-Level:
X-Spam-Status: No, score=-110.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id orXrVDPKdjRV for <dnsext@ietfa.amsl.com>; Thu, 12 May 2011 01:03:30 -0700 (PDT)
Received: from mx2.nic.fr (mx2.nic.fr [192.134.4.11]) by ietfa.amsl.com (Postfix) with ESMTP id 4D499E0724 for <dnsext@ietf.org>; Thu, 12 May 2011 01:03:12 -0700 (PDT)
Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 049921C0102; Thu, 12 May 2011 09:58:11 +0200 (CEST)
Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx2.nic.fr (Postfix) with ESMTP id F3E141C00FE; Thu, 12 May 2011 09:58:10 +0200 (CEST)
Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay1.nic.fr (Postfix) with ESMTP id F1B6056812C; Thu, 12 May 2011 09:58:10 +0200 (CEST)
Date: Thu, 12 May 2011 09:58:10 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Stephan Lagerholm <stephan.lagerholm@secure64.com>
Message-ID: <20110512075810.GB17883@nic.fr>
References: <201105112022.p4BKMHmp010275@givry.fdupont.fr> <20110512012832.296D7EAE55F@drugs.dv.isc.org> <DD056A31A84CFC4AB501BD56D1E14BBBA1C13B@exchange.secure64.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DD056A31A84CFC4AB501BD56D1E14BBBA1C13B@exchange.secure64.com>
X-Operating-System: Debian GNU/Linux 6.0.1
X-Kernel: Linux 2.6.32-5-686 i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2011 08:03:30 -0000

On Wed, May 11, 2011 at 07:45:34PM -0600,
 Stephan Lagerholm <stephan.lagerholm@secure64.com> wrote 
 a message of 84 lines which said:

> I think it is fair to say that the DNSSEC functionality of a
> resolver without support for SHA-2 is highly limited. [...] I'm
> noticing that FR currently only has a SHA-2 in the root zone. I
> guess they came to the same conclusion.

There are not only resolvers, there are also signing tools. We allow
SHA-1 DS in .FR because some users may be unable to produce SHA-2
DS. (Another solution would be to accept only DNSKEY and create the DS
ourselves but this is for another thread.)