DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?

Rob Austein <sra+namedroppers@hactrn.net> Wed, 09 April 2003 20:17 UTC

Date: Wed, 09 Apr 2003 16:07:50 -0400
From: Rob Austein <sra+namedroppers@hactrn.net>
To: namedroppers@ops.ietf.org
Subject: DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?
References: <20030331132915.GA2912@atoom.net> <20030409015556.6CF3B18ED@thrintun.hactrn.net> <20030409030333.E8E6518ED@thrintun.hactrn.net>
User-Agent: Wanderlust/2.8.1 (Something) Emacs/20.7 Mule/4.0 (HANANOEN)
MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20030409200750.440EC18E6@thrintun.hactrn.net>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk

DNSSECbis Q-07:

   Should the DNSSECbis documents discuss use of preconfigured trusted
   DSs in addition to to preconfigured trusted KEYs?

Discussion:

   As currently written, the DNSSECbis documents (specifically,
   -protocol) only talk about how to establish a chain of trust
   starting with preconfigured trusted keys.  At least one member of
   the dnssec-editors team believes that this is just an oversight,
   since section 2.4.1 of -delegation-signer-13 specifically mentions
   the possibility of using DS RRs as a means of listing trusted keys
   in configuration files.

   Message from the DNSOP WG mailing list attached below for context.

   Miek has kindly volunteered to work with the editors on wording.

--[[message/rfc822]
Date: Tue, 08 Apr 2003 21:55:56 -0400
From: Rob Austein <sra+dnsop@hactrn.net>
To: dnsop@cafax.se
Subject: Re: preconfigured keys or ds's
References: <20030331132915.GA2912@atoom.net>
MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20030409015556.6CF3B18ED@thrintun.hactrn.net>

At Mon, 31 Mar 2003 15:29:15 +0200, Miek Gieben wrote:
> 
> I would like to see the following documented, but I don't know for sure
> if it is a dnssec or dnsop issue:
> 
> The preconfigured keys for resolvers are large and are hard to compare
> and read (by humans). DS records on the other hand are much smaller
> and easier to handle. I think it would be better to preconfigure
> DS records in stead of zone keys for resolvers. This is also how
> my perl resolver works.

<hat dnsop-wg-co-chair=off dnssec-editors-team-member=off>

  This sounds like a reasonable implementation choice.

</hat>

> Where to put this? In the dnssec drafts or in a seperate dnsop BCP?

<hat dnsop-wg-co-chair=off dnssec-editors-team-member=on>

  The current DNSSECbis drafts don't talk about using trusted DS RRs
  as a starting point, only trusted KEYs.  Given the last paragraph of
  section 2.4.1 of draft-ietf-dnsext-delegation-signer-13.txt, this
  looks like an oversight (probably mine, since I was probably the
  last person to work on the relevant text in the DNSSECbis drafts).

  So the DNSSECbis spec needs fixing, and I don't expect anybody to
  argue against the fix, but for process reasons it'd be best to post
  an explanation to namedroppers first, so I'll do that.

</hat>

<hat dnsop-wg-co-chair=on dnssec-editors-team-member=off>

  Because of the above, at least part of this is a DNSEXT issue.

</hat>

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

DNSSECbis Q-07: Discuss preconfigured trusted DSs… Rob Austein
Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
Re: DNSSECbis Q-07: Discuss preconfigured trusted… Olaf M. Kolkman