Re: comments on ds-13
Ólafur Guðmundsson <ogud@ogud.com> Tue, 11 March 2003 20:21 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10577 for <dnsext-archive@lists.ietf.org>; Tue, 11 Mar 2003 15:21:37 -0500 (EST)
Received: from lserv by psg.com with local (Exim 3.36 #1) id 18sq1M-000Og2-00 for namedroppers-data@psg.com; Tue, 11 Mar 2003 12:06:44 -0800
Received: from one.elistx.com ([209.116.252.130]) by psg.com with esmtp (Exim 3.36 #1) id 18sq1I-000Ofk-00 for namedroppers@ops.ietf.org; Tue, 11 Mar 2003 12:06:40 -0800
Received: from ogud.com (pcp816081pcs.nrockv01.md.comcast.net [68.49.60.118]) by eListX.com (PMDF V6.0-025 #44856) with ESMTP id <0HBL00ILKP89IY@eListX.com> for namedroppers@ops.ietf.org; Tue, 11 Mar 2003 15:07:21 -0500 (EST)
Received: from ENGILL.ogud.com (gatt.dc.ogud.com [10.20.30.6]) by ogud.com (8.12.3/8.12.3) with ESMTP id h2BK7HbZ009618; Tue, 11 Mar 2003 15:07:18 -0500 (EST envelope-from ogud@ogud.com)
Date: Tue, 11 Mar 2003 15:04:38 -0500
From: Ólafur Guðmundsson <ogud@ogud.com>
Subject: Re: comments on ds-13
In-reply-to: <20030311175746.C0D55379E40@as.vix.com>
X-Sender: post@localhost
To: Paul Vixie <paul@vix.com>, namedroppers@ops.ietf.org
Message-id: <5.1.1.6.2.20030311144427.032c2cc0@localhost>
MIME-version: 1.0
X-Mailer: QUALCOMM Windows Eudora Version 5.1.1
Content-type: text/plain; format="flowed"; charset="us-ascii"
X-Spam-Status: No, hits=2.3 required=5.0 tests=IN_REP_TO,RCVD_IN_RFCI,SPAM_PHRASE_00_01 version=2.43
X-Spam-Level: **
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
At 12:57 2003-03-11, Paul Vixie wrote:
>olafur, you wrote (in draft-ietf-dnsext-delegation-signer-13.txt),
>
> >> DS RRsets MUST NOT appear at non-delegation points or at a zone's apex.
>
>why not? i think you can say they are irrelevant elsewhere, but i don't
>think there's a way to show that they are in any way harmful elsewhere.
Well the record is called "Delegation Signer".
IMHO this is a record for DNS consumption, and only for DNS, it
makes limited sense to have DS record at non delegation points
within the context of current DNSSEC specification.
In addition there are DS rules specify that it resides on
the upper side of delegation.
Does allowing DS to reside at normal node require more special cases?
If someone figures out other uses for the DS concept that is not
related to standard DNSSEC, lets define a new record for that.
If the new usage is to somehow improve/add on DNSSEC then the
use of DS should be considered.
>as a simple document quality issue, there is no way to enforce this
>requirement and no reliable way to even know when it has been violated.
>so at best it would be a SHOULD not a MUST.
This is a real good argument, and I would be happy to make the change
base on this, if the working group says so.
>however, even as a SHOULD, it overreaches. the proper attitude of a
>document toward its protocol is to specify things which, if left
>unspecified, will lead to loss of interoperability or functionality.
>there is no such argument to be made for restricting the placement of
>DS RRs (or for restricting the use of KEYs for that matter.)
Remember the name and purpose of the record.
Key on the other hand can be assigned to hosts for dynamic update purposes
thus KEY is not restricted to APEX only.
IFF KEY was restricted to DNSSEC zone signing only then restricting it
to the apex would make sense.
Olafur
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: comments on ds-13 Ólafur Guðmundsson