Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

[Mark Andrews <marka@isc.org>]

In message <4D778C86.4020105@ogud.com>, Olafur Gudmundsson writes:
> <hat="RFC3658-editor">
> 
> On 09/03/2011 8:30 AM, Scott Schmit wrote:
> > On Tue, Mar 08, 2011 at 08:32:05PM +0000, Tony Finch wrote dnsext:
> >> On Tue, 8 Mar 2011, Roy Arends wrote:
> >>>
> >>>     D.    Motivation for the new RRTYPE application?
> >>>
> >>>           To allow a copy of the DS RRset [RFC4034] to be published
> >>>           in the child zone, which is used to update the parent DS RRset.
> >>>           It is expected that this will allow the rollover of a key signi
> ng
> >>>           key to be automated.
> >>
> >> Why not just use the child zone's SEP DNSKEY RRs for this purpose?
> >
> > I'm inclined to agree with this, but even if it's decided that the
> > DNSKEY RRs aren't sufficient, why not just use DS on the client side? I
> > see that RFC 3658 forbids it, but I'm not sure I understand why.  We
> > don't have CNS in addition to NS, so why should DS be different? I can
> > understand that DS must be ignored by a client unless it's signed by the
> > parent, but if that check doesn't already exist, we're already in
> > trouble.
> 
> Using SEP bits in DNSKEY records does not work when a zone wants to 
> retire an algorithm, the DS MUST be removed before the corresponding 
> DNSKEY record is removed.
 
RFC 5011 really doesn't work for trust anchors.  We should do something
similar with DNSKEY but add <START> <END> <POLL> fields to the front.
However this is not the thread to do this on.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org