Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

Mark Andrews <marka@isc.org> Wed, 09 March 2011 22:05 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8F5D3A6ABD for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 14:05:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.509
X-Spam-Level:
X-Spam-Status: No, score=-2.509 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id syIfYVVH2VDz for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 14:05:42 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by core3.amsl.com (Postfix) with ESMTP id 342843A6407 for <dnsext@ietf.org>; Wed, 9 Mar 2011 14:05:42 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 354AB5F984C; Wed, 9 Mar 2011 22:06:44 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id DF64E216C1E; Wed, 9 Mar 2011 22:06:41 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 08DDDBFF329; Thu, 10 Mar 2011 09:06:40 +1100 (EST)
To: Olafur Gudmundsson <ogud@ogud.com>
From: Mark Andrews <marka@isc.org>
References: <C99C3502.72B1%roy@nominet.org.uk> <alpine.LSU.2.00.1103082030190.5244@hermes-1.csi.cam.ac.uk> <20110309133017.GA19809@odin.mars.sol><4D778C86.4020105@ogud.com>
In-reply-to: Your message of "Wed, 09 Mar 2011 09:19:50 CDT." <4D778C86.4020105@ogud.com>
Date: Thu, 10 Mar 2011 09:06:40 +1100
Message-Id: <20110309220640.08DDDBFF329@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 22:05:43 -0000

In message <4D778C86.4020105@ogud.com>om>, Olafur Gudmundsson writes:
> <hat="RFC3658-editor">
> 
> On 09/03/2011 8:30 AM, Scott Schmit wrote:
> > On Tue, Mar 08, 2011 at 08:32:05PM +0000, Tony Finch wrote dnsext:
> >> On Tue, 8 Mar 2011, Roy Arends wrote:
> >>>
> >>>     D.    Motivation for the new RRTYPE application?
> >>>
> >>>           To allow a copy of the DS RRset [RFC4034] to be published
> >>>           in the child zone, which is used to update the parent DS RRset.
> >>>           It is expected that this will allow the rollover of a key signi
> ng
> >>>           key to be automated.
> >>
> >> Why not just use the child zone's SEP DNSKEY RRs for this purpose?
> >
> > I'm inclined to agree with this, but even if it's decided that the
> > DNSKEY RRs aren't sufficient, why not just use DS on the client side? I
> > see that RFC 3658 forbids it, but I'm not sure I understand why.  We
> > don't have CNS in addition to NS, so why should DS be different? I can
> > understand that DS must be ignored by a client unless it's signed by the
> > parent, but if that check doesn't already exist, we're already in
> > trouble.
> 
> Using SEP bits in DNSKEY records does not work when a zone wants to 
> retire an algorithm, the DS MUST be removed before the corresponding 
> DNSKEY record is removed.
 
RFC 5011 really doesn't work for trust anchors.  We should do something
similar with DNSKEY but add <START> <END> <POLL> fields to the front.
However this is not the thread to do this on.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org