Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

"George Barwood" <george.barwood@blueyonder.co.uk> Tue, 08 March 2011 20:50 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AD28D3A6359 for <dnsext@core3.amsl.com>; Tue, 8 Mar 2011 12:50:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.704
X-Spam-Level:
X-Spam-Status: No, score=0.704 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599, HELO_EQ_BLUEYON=1.4, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XiVHA3UMhG-7 for <dnsext@core3.amsl.com>; Tue, 8 Mar 2011 12:50:03 -0800 (PST)
Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk [195.188.213.6]) by core3.amsl.com (Postfix) with ESMTP id ADF773A635F for <dnsext@ietf.org>; Tue, 8 Mar 2011 12:50:02 -0800 (PST)
Received: from [172.23.170.139] (helo=anti-virus01-10) by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52) id 1Px3sC-0002I4-Hf; Tue, 08 Mar 2011 20:51:16 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out4.blueyonder.co.uk with smtp (Exim 4.72) (envelope-from <george.barwood@blueyonder.co.uk>) id 1Px3s2-0006M4-N1; Tue, 08 Mar 2011 20:51:06 +0000
Message-ID: <72A22513B1644CFE9023189F93BFDD32@local>
From: "George Barwood" <george.barwood@blueyonder.co.uk>
To: "Tony Finch" <dot@dotat.at>
References: <C99C3502.72B1%roy@nominet.org.uk> <alpine.LSU.2.00.1103082030190.5244@hermes-1.csi.cam.ac.uk>
Date: Tue, 8 Mar 2011 20:52:04 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Cc: dnsext@ietf.org
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2011 20:50:03 -0000

----- Original Message ----- 
From: "Tony Finch" <dot@dotat.at>
To: <george.barwood@blueyonder.co.uk>
Cc: <dnsext@ietf.org>
Sent: Tuesday, March 08, 2011 8:32 PM
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th


> On Tue, 8 Mar 2011, Roy Arends wrote:
>>
>>    D.    Motivation for the new RRTYPE application?
>>
>>          To allow a copy of the DS RRset [RFC4034] to be published
>>          in the child zone, which is used to update the parent DS RRset.
>>          It is expected that this will allow the rollover of a key signing
>>          key to be automated.
> 
> Why not just use the child zone's SEP DNSKEY RRs for this purpose?

From the draft http://tools.ietf.org/html/draft-barwood-dnsop-ds-publish-01

  A new resource record type is preferred to using flags in the DNSKEY
  RRset. It allows the DS to be published without revealing the public
  key, delaying the time at which an attacker can start cryptanalysis;
  the size of the DNSKEY RRset is not changed, which avoids potential
  transport problems with large responses; and it allows arbitrary DS
  records to be published which may have no corresponding DNSKEY, which
  might be useful in future for defining transport parameters.

George
 
> Tony.