[dnsext] dnssec-bis updates: key use
"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Mon, 03 August 2009 09:30 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4913D3A6D59; Mon, 3 Aug 2009 02:30:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O1vRquRp+aCm; Mon, 3 Aug 2009 02:30:49 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 400183A6AFC; Mon, 3 Aug 2009 02:30:41 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MXtfX-000Mlc-M8 for namedroppers-data0@psg.com; Mon, 03 Aug 2009 09:17:23 +0000
Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <wouter@nlnetlabs.nl>) id 1MXtfO-000MkO-L1 for namedroppers@ops.ietf.org; Mon, 03 Aug 2009 09:17:20 +0000
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n739H8Xp001906 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 3 Aug 2009 11:17:09 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4A76AB14.3000002@nlnetlabs.nl>
Date: Mon, 03 Aug 2009 11:17:08 +0200
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2
MIME-Version: 1.0
To: David Blacka <davidb@verisign.com>, "namedroppers@ops.ietf.org" <namedroppers@ops.ietf.org>
Subject: [dnsext] dnssec-bis updates: key use
X-Enigmail-Version: 0.96a
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Mon, 03 Aug 2009 11:17:09 +0200 (CEST)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi David, About dnssec-bis updates. Specifically about the 'MUST try all keys'. a) I disagree. Are there people that agree with this point of view? A more specific key is simply more specific and thus trumps a less specific one. People should have proper automated key update mechanisms so the only way for the key to not work is if there is an attack. So, the text must be: MUST try all keys that are specific for the query. So, if you add 5 keys for example.com they should all be tried. b) In case I lose the argument I want the text amended: MUST try all keys, but a chain of trust from a higher up key MUST result in a secure state for the name of the closest key. So, that if 'example.com' does not work, and you use the root key, then insecure com delegations do not downgrade security. The higher key MUST then build a chain of trust to the lower name. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkp2qxQACgkQkDLqNwOhpPi/pACfTgpj2VM9/EvbKsG7adQA6RuY HRcAoJBZ+k9Rq5nBjEsvClaboJCuQjdW =Qfi/ -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] dnssec-bis updates: key use W.C.A. Wijngaards