Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

Miek Gieben <miek@miek.nl> Wed, 09 March 2011 09:04 UTC

Return-Path: <miekg@atoom.net>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B67F23A68AA for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 01:04:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efaZGOgeO+GJ for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 01:04:26 -0800 (PST)
Received: from elektron.atoom.net (cl-201.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:c8::2]) by core3.amsl.com (Postfix) with ESMTP id C23BB3A68C4 for <dnsext@ietf.org>; Wed, 9 Mar 2011 01:04:25 -0800 (PST)
Received: by elektron.atoom.net (Postfix, from userid 1000) id A71FB3FFF3; Wed, 9 Mar 2011 10:05:36 +0100 (CET)
Date: Wed, 09 Mar 2011 10:05:36 +0100
From: Miek Gieben <miek@miek.nl>
To: dnsext@ietf.org
Message-ID: <20110309090536.GA9578@miek.nl>
Mail-Followup-To: dnsext@ietf.org
References: <C99C3502.72B1%roy@nominet.org.uk> <alpine.LSU.2.00.1103082030190.5244@hermes-1.csi.cam.ac.uk> <72A22513B1644CFE9023189F93BFDD32@local> <20110309080006.GA23957@miek.nl> <758260B7B5B34599BA80D9BA5A3840C0@local>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV"
Content-Disposition: inline
In-Reply-To: <758260B7B5B34599BA80D9BA5A3840C0@local>
User-Agent: Vim/Mutt/Linux
X-Home: www.miek.nl
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 09:04:26 -0000

[ Quoting George Barwood in "Re: [dnsext] CDS RRTYPE review - Co"... ]
> > > > Why not just use the child zone's SEP DNSKEY RRs for this purpose?
> > > 
> > > From the draft http://tools.ietf.org/html/draft-barwood-dnsop-ds-publish-01
> > > 
> > >   key, delaying the time at which an attacker can start cryptanalysis;
> 
> > So this is the sole reason for adding this new type?
> 
> There are 4 reasons given, why do you quote only one?
> Please don't quote selectively.

it is the first reason you give in the introduction in the draft.

> One could probably add yet more reasons, e.g.
> It gives the child control over which Digest Type is used.
> It allows new Digest types to be deployed easily.
> It allows easy verification (by humans) as to whether the parent and child zones are in sync.
>
> But these are really just examples, fundamentally it's just proper design.
> It gives the child zone proper control of the parent DS RRset.

...if the parent cooperates...

Is this proposal aimed at TLDs or at smaller zones? Because for .nl we
are just going to use EPP and let the registrar send in a DNSKEY which
we will convert to a DS (so you can not even choose your own hash
algo).

grtz,

--
 Miek