Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

[Olafur Gudmundsson <ogud@ogud.com>]

On 09/03/2011 4:05 AM, Miek Gieben wrote:
> [ Quoting George Barwood in "Re: [dnsext] CDS RRTYPE review - Co"... ]
>>>>> Why not just use the child zone's SEP DNSKEY RRs for this purpose?
>>>>
>>>>  From the draft http://tools.ietf.org/html/draft-barwood-dnsop-ds-publish-01
>>>>
>>>>    key, delaying the time at which an attacker can start cryptanalysis;
>>
>>> So this is the sole reason for adding this new type?
>>
>> There are 4 reasons given, why do you quote only one?
>> Please don't quote selectively.
>
> it is the first reason you give in the introduction in the draft.
>
>> One could probably add yet more reasons, e.g.
>> It gives the child control over which Digest Type is used.
>> It allows new Digest types to be deployed easily.
>> It allows easy verification (by humans) as to whether the parent and child zones are in sync.
>>
>> But these are really just examples, fundamentally it's just proper design.
>> It gives the child zone proper control of the parent DS RRset.
>
> ...if the parent cooperates...
>
> Is this proposal aimed at TLDs or at smaller zones? Because for .nl we
> are just going to use EPP and let the registrar send in a DNSKEY which
> we will convert to a DS (so you can not even choose your own hash
> algo).
>

DNS >> TLD's  and even in among your registrars when do you expect the 
last one to support DNSSEC updating of DS records?

This mechanism can be used anywhere in the tree, and all it needs for 
use is a simple DNS lookup.
How the parent is told to perform the lookup or how frequently the 
parent does the lookup is outside the scope of this application.

	Olafur
PS: