Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

Olafur Gudmundsson <> Wed, 09 March 2011 18:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 11CBA3A6928 for <>; Wed, 9 Mar 2011 10:46:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.548
X-Spam-Status: No, score=-102.548 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z17RdXHBuDq2 for <>; Wed, 9 Mar 2011 10:46:40 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 909A33A692A for <>; Wed, 9 Mar 2011 10:46:39 -0800 (PST)
Received: from [IPv6:::1] ( []) by (8.14.4/8.14.4) with ESMTP id p29IltDf046842 for <>; Wed, 9 Mar 2011 13:47:55 -0500 (EST) (envelope-from
Message-ID: <>
Date: Wed, 09 Mar 2011 13:47:49 -0500
From: Olafur Gudmundsson <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv: Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
References: <> <> <72A22513B1644CFE9023189F93BFDD32@local> <> <758260B7B5B34599BA80D9BA5A3840C0@local> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Mar 2011 18:46:42 -0000

On 09/03/2011 4:05 AM, Miek Gieben wrote:
> [ Quoting George Barwood in "Re: [dnsext] CDS RRTYPE review - Co"... ]
>>>>> Why not just use the child zone's SEP DNSKEY RRs for this purpose?
>>>>  From the draft
>>>>    key, delaying the time at which an attacker can start cryptanalysis;
>>> So this is the sole reason for adding this new type?
>> There are 4 reasons given, why do you quote only one?
>> Please don't quote selectively.
> it is the first reason you give in the introduction in the draft.
>> One could probably add yet more reasons, e.g.
>> It gives the child control over which Digest Type is used.
>> It allows new Digest types to be deployed easily.
>> It allows easy verification (by humans) as to whether the parent and child zones are in sync.
>> But these are really just examples, fundamentally it's just proper design.
>> It gives the child zone proper control of the parent DS RRset.
> ...if the parent cooperates...
> Is this proposal aimed at TLDs or at smaller zones? Because for .nl we
> are just going to use EPP and let the registrar send in a DNSKEY which
> we will convert to a DS (so you can not even choose your own hash
> algo).

DNS >> TLD's  and even in among your registrars when do you expect the 
last one to support DNSSEC updating of DS records?

This mechanism can be used anywhere in the tree, and all it needs for 
use is a simple DNS lookup.
How the parent is told to perform the lookup or how frequently the 
parent does the lookup is outside the scope of this application.