Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
Olafur Gudmundsson <ogud@ogud.com> Wed, 09 March 2011 14:18 UTC
Return-Path: <ogud@ogud.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 53ECB3A69BE for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 06:18:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.543
X-Spam-Level:
X-Spam-Status: No, score=-102.543 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GFBSAYSdd40W for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 06:18:41 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id 410D23A69C9 for <dnsext@ietf.org>; Wed, 9 Mar 2011 06:18:41 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p29EJuLD044855 for <dnsext@ietf.org>; Wed, 9 Mar 2011 09:19:56 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4D778C86.4020105@ogud.com>
Date: Wed, 09 Mar 2011 09:19:50 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: dnsext@ietf.org
References: <C99C3502.72B1%roy@nominet.org.uk> <alpine.LSU.2.00.1103082030190.5244@hermes-1.csi.cam.ac.uk> <20110309133017.GA19809@odin.mars.sol>
In-Reply-To: <20110309133017.GA19809@odin.mars.sol>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 14:18:42 -0000
<hat="RFC3658-editor"> On 09/03/2011 8:30 AM, Scott Schmit wrote: > On Tue, Mar 08, 2011 at 08:32:05PM +0000, Tony Finch wrote dnsext: >> On Tue, 8 Mar 2011, Roy Arends wrote: >>> >>> D. Motivation for the new RRTYPE application? >>> >>> To allow a copy of the DS RRset [RFC4034] to be published >>> in the child zone, which is used to update the parent DS RRset. >>> It is expected that this will allow the rollover of a key signing >>> key to be automated. >> >> Why not just use the child zone's SEP DNSKEY RRs for this purpose? > > I'm inclined to agree with this, but even if it's decided that the > DNSKEY RRs aren't sufficient, why not just use DS on the client side? I > see that RFC 3658 forbids it, but I'm not sure I understand why. We > don't have CNS in addition to NS, so why should DS be different? I can > understand that DS must be ignored by a client unless it's signed by the > parent, but if that check doesn't already exist, we're already in > trouble. Using SEP bits in DNSKEY records does not work when a zone wants to retire an algorithm, the DS MUST be removed before the corresponding DNSKEY record is removed. > > So, maybe they didn't think of the use case this draft is trying to > address and forbade it to keep the software implementations simpler? But > that could have been accomplished simply by saying that a DS on the > child side is ignored for validation purposes (it now becomes pointless > (but harmless) to include it, except as a way to securely send DS > records from the child to the parent). RFC3658 specified for the first time a record that can only live at the parent and this required major changes to resolution algorithm implementations. If there is anything we have learned in the last 25+ years of DNS is this: "If the same information can appear in two places it will not be the same and you have no idea which version resolvers will use" Just look at what different resolvers do when the parent and child NS records differ. > I can understand the motivation of introducing a new RRTYPE to avoid > needing to alter existing MUST NOTs, but CDS just seems unnecessary. > > Maybe there's another reason to forbid DS on the child side that I've > overlooked? > see above, and new types a cheap, and this gives the child full control over the changes in the DS in parent. Similarly this can be used to update trust anchors for an Island of security. <disclaimer> I encouraged George to submit this, as I had the same idea about the same time as he did, in the context of automating DNS operator change/transfer. </disclaimer> This record does not change the DNS control plane (resolvers) it is only published for information purposes and to be used by zone content management tools. Olafur PS: I think that original DNS had NS RRset in two places was the biggest design mistake and we have spent lots of time and effort to overcome that. This choice was done for expediency and/or optimization reasons. s
- [dnsext] CDS RRTYPE review - Comments period end … Roy Arends
- Re: [dnsext] CDS RRTYPE review - Comments period … Tony Finch
- Re: [dnsext] CDS RRTYPE review - Comments period … George Barwood
- Re: [dnsext] CDS RRTYPE review - Comments period … Miek Gieben
- Re: [dnsext] CDS RRTYPE review - Comments period … Jelte Jansen
- Re: [dnsext] CDS RRTYPE review - Comments period … George Barwood
- Re: [dnsext] CDS RRTYPE review - Comments period … Miek Gieben
- Re: [dnsext] CDS RRTYPE review - Comments period … George Barwood
- Re: [dnsext] CDS RRTYPE review - Comments period … Scott Schmit
- Re: [dnsext] CDS RRTYPE review - Comments period … Andrew Sullivan
- Re: [dnsext] CDS RRTYPE review - Comments period … George Barwood
- Re: [dnsext] CDS RRTYPE review - Comments period … Olafur Gudmundsson
- Re: [dnsext] CDS RRTYPE review - Comments period … Phillip Hallam-Baker
- Re: [dnsext] CDS RRTYPE review - Comments period … Tony Finch
- Re: [dnsext] CDS RRTYPE review - Comments period … Tony Finch
- Re: [dnsext] CDS RRTYPE review - Comments period … Phillip Hallam-Baker
- Re: [dnsext] CDS RRTYPE review - Comments period … Matthew Pounsett
- Re: [dnsext] CDS RRTYPE review - Comments period … Olafur Gudmundsson
- Re: [dnsext] CDS RRTYPE review - Comments period … Miek Gieben
- Re: [dnsext] CDS RRTYPE review - Comments period … Paul Wouters
- Re: [dnsext] CDS RRTYPE review - Comments period … Mark Andrews
- Re: [dnsext] CDS RRTYPE review - Comments period … Mark Andrews
- Re: [dnsext] CDS RRTYPE review - Comments period … Stephan Lagerholm
- Re: [dnsext] CDS RRTYPE review - Comments period … Mark Andrews
- Re: [dnsext] CDS RRTYPE review - Comments period … George Barwood
- Re: [dnsext] CDS RRTYPE review - Comments period … Samuel Weiler
- Re: [dnsext] CDS RRTYPE review - Comments period … Stephan Lagerholm
- Re: [dnsext] CDS RRTYPE review - Comments period … Olafur Gudmundsson
- Re: [dnsext] CDS RRTYPE review - Comments period … Mark Andrews
- Re: [dnsext] CDS RRTYPE review - Comments period … Stephan Lagerholm
- Re: [dnsext] CDS RRTYPE review - Comments period … Stephan Lagerholm
- Re: [dnsext] CDS RRTYPE review - Comments period … Mark Andrews
- Re: [dnsext] CDS RRTYPE review - Comments period … Roy Arends