Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

Mark Andrews <marka@isc.org> Thu, 10 March 2011 23:32 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15BB43A67B2 for <dnsext@core3.amsl.com>; Thu, 10 Mar 2011 15:32:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.543
X-Spam-Level:
X-Spam-Status: No, score=-2.543 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JTg+iEP42Usx for <dnsext@core3.amsl.com>; Thu, 10 Mar 2011 15:32:34 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by core3.amsl.com (Postfix) with ESMTP id 974F23A67A3 for <dnsext@ietf.org>; Thu, 10 Mar 2011 15:32:33 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id B99C55F984C; Thu, 10 Mar 2011 23:33:36 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id CAF4F216C1E; Thu, 10 Mar 2011 23:33:34 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id C6406C0F4D4; Fri, 11 Mar 2011 10:33:32 +1100 (EST)
To: "Stephan Lagerholm" <stephan.lagerholm@secure64.com>
From: Mark Andrews <marka@isc.org>
References: <C99C3502.72B1%roy@nominet.org.uk> <alpine.LSU.2.00.1103082030190.5244@hermes-1.csi.cam.ac.uk><20110309133017.GA19809@odin.mars.sol><4D778C86.4020105@ogud.com> <DD056A31A84CFC4AB501BD56D1E14BBB9CC7CB@exchange.secure64.com> <3D41A425A17444EA8EEE8C78DD18D3E9@local> <DD056A31A84CFC4AB501BD56D1E14BBB9CC7FC@exchange.secure64.com>
In-reply-to: Your message of "Thu, 10 Mar 2011 12:48:30 PDT." <DD056A31A84CFC4AB501BD56D1E14BBB9CC7FC@exchange.secure64.com>
Date: Fri, 11 Mar 2011 10:33:32 +1100
Message-Id: <20110310233332.C6406C0F4D4@drugs.dv.isc.org>
Cc: dnsext@ietf.org, Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 23:32:35 -0000

In message <DD056A31A84CFC4AB501BD56D1E14BBB9CC7FC@exchange.secure64.com>om>, "Ste
phan Lagerholm" writes:
> George B and Mark A,
> 
> >In either case the software that signs zones has to be updated.
> 
> If adding a new flag to DNSKEY and if the software already supports the
> DNSKEY RR with arbitrary flags, then no update is needed. For example, I
> could use an old version of ISC dig and still make sense out of the
> DNSKEY record even if a new flag was added. But I had to upgrade ISC dig
> if I wanted to figure out details about the CDS record.

Running DS throug a really old version of DiG produces this:

isc.org.		20h56m50s IN TYPE43  \# 36 (	; unknown RR type
	32 5c 05 02 f1 e1 84 c0 e1 d6 15 d2 0e b3 c2 23 ; 2\.............#
	ac ed 3b 03 c7 73 dd 95 2d 5f 0e b5 c7 77 58 6d ; ..;..s..-_...wXm
	e1 8d a6 b5 )					; ....
isc.org.		20h56m50s IN TYPE43  \# 24 (	; unknown RR type
	32 5c 05 01 98 21 13 d0 8b 4c 6a 1d 9f 6a ee 1e ; 2\...!...Lj..j..
	22 37 ae f6 9f 3f 97 59 )			; "7...?.Y

The key id is 0x325c (12892), the algorithm in 5 and the hashs are 2
for the first and 1 for the second.

> >If the output is in text format, the generic text format of RFC3597
> section 5
> >may be used if the serving software for the master server has not been
> updated.
> 
> The RDATA field would still just be a "blob". How would I for example be
> able to verify the Key Tag, Algorithm or Digest Type field unless the
> software you are using is programmed to understand that the format the
> same as for the DS record?

Given the blob is printed in hex you could just read two of those fields
directly and the third nearly as easily.

	Digest type: 01 or 02 (currently in use)
	Algorithm: 01 ... 0a  (currently in use)
	Keytag: is a little harder but not much.

Or you could take the TYPEXXX .... and turn in into TYPE43 ... and
put that through any piece of software that understands DS and
unknown types.

> >The software for secondary servers does not need to be updated in any
> case,
> >assuming it implements RFC3597 ( that is it can handle unknown types ),
> >which is of course the case for all mainstream implementations.
> 
> Agreed, I'm taking about software that interacts with humans and try to
> display something meaningful for them (provisioning system, IPAM,
> debugging tools, etc)
> 
> (For the record, I'm positive to this draft other than using a new RR
> type. I would rather like to see an "embryonic" flag to the DNSKEY
> similar to what the revoked flag is doing for old keys is RFC5011)
> 
> /S
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org