Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

"George Barwood" <george.barwood@blueyonder.co.uk> Wed, 09 March 2011 08:44 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 411CB3A68BC for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 00:44:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.687
X-Spam-Level:
X-Spam-Status: No, score=0.687 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599, HELO_EQ_BLUEYON=1.4, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQpLXiWbZ7H7 for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 00:44:38 -0800 (PST)
Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk [195.188.213.7]) by core3.amsl.com (Postfix) with ESMTP id 731103A68AB for <dnsext@ietf.org>; Wed, 9 Mar 2011 00:44:38 -0800 (PST)
Received: from [172.23.170.139] (helo=anti-virus01-10) by smtp-out4.blueyonder.co.uk with smtp (Exim 4.52) id 1PxF1l-0004Ri-Ct; Wed, 09 Mar 2011 08:45:53 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out4.blueyonder.co.uk with smtp (Exim 4.72) (envelope-from <george.barwood@blueyonder.co.uk>) id 1PxF1U-0003Ja-Ok; Wed, 09 Mar 2011 08:45:36 +0000
Message-ID: <758260B7B5B34599BA80D9BA5A3840C0@local>
From: "George Barwood" <george.barwood@blueyonder.co.uk>
To: "Miek Gieben" <miek@miek.nl>, <dnsext@ietf.org>
References: <C99C3502.72B1%roy@nominet.org.uk><alpine.LSU.2.00.1103082030190.5244@hermes-1.csi.cam.ac.uk><72A22513B1644CFE9023189F93BFDD32@local> <20110309080006.GA23957@miek.nl>
Date: Wed, 9 Mar 2011 08:45:51 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 08:44:39 -0000

----- Original Message ----- 
From: "Miek Gieben" <miek@miek.nl>
To: <dnsext@ietf.org>
Sent: Wednesday, March 09, 2011 8:00 AM
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th


> > > Why not just use the child zone's SEP DNSKEY RRs for this purpose?
> > 
> > From the draft http://tools.ietf.org/html/draft-barwood-dnsop-ds-publish-01
> > 
> >   key, delaying the time at which an attacker can start cryptanalysis;

> So this is the sole reason for adding this new type?

There are 4 reasons given, why do you quote only one?
Please don't quote selectively.

One could probably add yet more reasons, e.g.
It gives the child control over which Digest Type is used.
It allows new Digest types to be deployed easily.
It allows easy verification (by humans) as to whether the parent and child zones are in sync.
But these are really just examples, fundamentally it's just proper design.
It gives the child zone proper control of the parent DS RRset.

George