IETF Logo Mail Archive

Re: [dnsext] MAR proposal #2: Allowing pre-publishing of DNSKEYs

Edward Lewis <Ed.Lewis@neustar.biz> Fri, 01 April 2011 14:56 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 81ADE28C0E0 for <dnsext@core3.amsl.com>; Fri, 1 Apr 2011 07:56:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.554
X-Spam-Level:
X-Spam-Status: No, score=-102.554 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4P7NXlDLq-+1 for <dnsext@core3.amsl.com>; Fri, 1 Apr 2011 07:56:05 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id AE40F28C0DB for <dnsext@ietf.org>; Fri, 1 Apr 2011 07:56:05 -0700 (PDT)
Received: from Work-Laptop-2.local (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p31EvfUr098827; Fri, 1 Apr 2011 10:57:42 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.116] by Work-Laptop-2.local (PGP Universal service); Fri, 01 Apr 2011 10:57:42 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Fri, 01 Apr 2011 10:57:42 -0400
Mime-Version: 1.0
Message-Id: <a06240801c9bb976a473c@[10.31.200.116]>
In-Reply-To: <alpine.BSF.2.00.1104011024530.92106@fledge.watson.org>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <22284.1290447209@nsa.vix.com> <4CF4D54B.5000407@nlnetlabs.nl> <20110310223438.978E9C0E902@drugs.dv.isc.org> <4D79DDFA.3010006@nlnetlabs.nl> <alpine.BSF.2.00.1103140901170.99213@fledge.watson.org> <20110314213319.A2799C8CA0B@drugs.dv.isc.org> <alpine.BSF.2.00.1103141750530.74870@fledge.watson.org> <a06240800c9a50cf4632a@10.31.200.110> <AANLkTimUUa5zkr+hZH4jR-euENg_n=9EwtRVBN-cxr9_@mail.gmail.com> <a06240802c9a7b6cb4cc3@192.168.1.105> <AANLkTin+hMZ-27VjkQq7_44zNguMiefhxbgGD+-XZxPP@mail.gmail.com> <a06240802c9a7e0807069@10.31.200.117> <AANLkTi=4co5mS3RYhK1BvUMOm54wgNAMeKtk3_Zm0ff1@mail.gmail.com> <a06240802c9a93d762e13@[10.31.200.112]> <a06240803c9a9417e1fe8@[10.31.200.112]> <4D938CC3.1020103@nlnetlabs.nl> <a06240800c9ba6184d535@[10.31.200.112]> <4D94DF2B.1040407@nlnetlabs.nl> <a06240800c9bb6f86edae@[10.31.200.112]> <alpine.BSF.2.00.1104011022030.92106@fledge.watson.org> <alpine.BSF.2.00.1104011024530.92106@fledge.watson.org>
Date: Fri, 01 Apr 2011 10:57:40 -0400
To: Samuel Weiler <weiler@watson.org>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: dnsext@ietf.org
Subject: Re: [dnsext] MAR proposal #2: Allowing pre-publishing of DNSKEYs
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2011 14:56:06 -0000

At 10:28 -0400 4/1/11, Samuel Weiler wrote:

>Zones will be required to be signed with each algorithm (though not
>necessarily eack key) present in the zone's DS RRset or configured
>trust anchors.

Looking at my previous message, this probably makes sense.

Just like NS sets - if the cut point NS set is a subset of the 
corresponding apex NS set things work out, if the algorithms in the 
DS set are a subset of the algorithms in the corresponding DNSKEY 
set, things work out.  And the flexibility to allow a change to be 
made on one side happen non-atomically with a change on the other 
side can proceed.

This works for adding and subtracting.

If I add an NS to the child and then the parent, no lame servers.  If 
I subtract the NS from the parent and then from the child, no lame 
servers.  I make the change in a different order between adds and 
deletes, but the same result, the upper is a subset of the lower.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"

v2.23.0 | Report a Bug | By Email