Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

Mark Andrews <marka@isc.org> Wed, 09 March 2011 21:45 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 546D03A6AC3 for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 13:45:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.487
X-Spam-Level:
X-Spam-Status: No, score=-2.487 tagged_above=-999 required=5 tests=[AWL=0.113, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YUf5YAfgErGo for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 13:45:30 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by core3.amsl.com (Postfix) with ESMTP id 0B3913A6AD9 for <dnsext@ietf.org>; Wed, 9 Mar 2011 13:45:30 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 894ADC9428; Wed, 9 Mar 2011 21:46:36 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 0BF59216C22; Wed, 9 Mar 2011 21:46:36 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 1D01BBFF084; Thu, 10 Mar 2011 08:46:34 +1100 (EST)
To: Andrew Sullivan <ajs@shinkuro.com>
From: Mark Andrews <marka@isc.org>
References: <C99C3502.72B1%roy@nominet.org.uk> <alpine.LSU.2.00.1103082030190.5244@hermes-1.csi.cam.ac.uk> <20110309133017.GA19809@odin.mars.sol><20110309135700.GI32629@shinkuro.com>
In-reply-to: Your message of "Wed, 09 Mar 2011 08:57:00 CDT." <20110309135700.GI32629@shinkuro.com>
Date: Thu, 10 Mar 2011 08:46:34 +1100
Message-Id: <20110309214634.1D01BBFF084@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 21:45:31 -0000

In message <20110309135700.GI32629@shinkuro.com>om>, Andrew Sullivan writes:
> No hat.
> 
> On Wed, Mar 09, 2011 at 08:30:17AM -0500, Scott Schmit wrote:
> 
> > I'm inclined to agree with this, but even if it's decided that the
> > DNSKEY RRs aren't sufficient, why not just use DS on the client side? I
> > see that RFC 3658 forbids it, but I'm not sure I understand why.
> 
> I do not think this is the time to debate that design decision.  The
> design of DNSSEC uses different RRTYPEs at the parent side of the cut
> and the child side.  It is true that we use the same RRTYPE at the
> parent and child sides for the NS record.  But even if you think that
> was a good design (though I happen not to), the fact is that DNSSEC
> did not follow that direction, and it has rules stating that the DS
> isn't allowed on the child side.  We can't unmake that decision, and
> we can't change it now without introducing a backward incompatible
> change; so that is not an option open to us.
> 
> A

Additionally DLV, which is bit for bit identical to DS like this
record is, is a different type for exactly the same reasons this
record needs to be a different type.  And no re-using DLV is also
not apporiate.  DLV, CDS and DS can all exist at the same name.

> -- 
> Andrew Sullivan
> ajs@shinkuro.com
> Shinkuro, Inc.
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org