Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

Andrew Sullivan <> Wed, 09 March 2011 13:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8A6B43A6821 for <>; Wed, 9 Mar 2011 05:56:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.577
X-Spam-Status: No, score=-102.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id D2CjegPAx112 for <>; Wed, 9 Mar 2011 05:55:46 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 288093A6881 for <>; Wed, 9 Mar 2011 05:55:46 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 05FDB1ECB408 for <>; Wed, 9 Mar 2011 13:57:01 +0000 (UTC)
Date: Wed, 9 Mar 2011 08:57:00 -0500
From: Andrew Sullivan <>
Message-ID: <>
References: <> <> <20110309133017.GA19809@odin.mars.sol>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20110309133017.GA19809@odin.mars.sol>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Mar 2011 13:56:02 -0000

No hat.

On Wed, Mar 09, 2011 at 08:30:17AM -0500, Scott Schmit wrote:

> I'm inclined to agree with this, but even if it's decided that the
> DNSKEY RRs aren't sufficient, why not just use DS on the client side? I
> see that RFC 3658 forbids it, but I'm not sure I understand why.

I do not think this is the time to debate that design decision.  The
design of DNSSEC uses different RRTYPEs at the parent side of the cut
and the child side.  It is true that we use the same RRTYPE at the
parent and child sides for the NS record.  But even if you think that
was a good design (though I happen not to), the fact is that DNSSEC
did not follow that direction, and it has rules stating that the DS
isn't allowed on the child side.  We can't unmake that decision, and
we can't change it now without introducing a backward incompatible
change; so that is not an option open to us.


Andrew Sullivan
Shinkuro, Inc.