Re: [dnsext] slave signing, was does making names the same NEED protocol changes at all?

John Levine <johnl@iecc.com> Sun, 27 February 2011 15:18 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0499F3A69FF for <dnsext@core3.amsl.com>; Sun, 27 Feb 2011 07:18:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.552
X-Spam-Level:
X-Spam-Status: No, score=-110.552 tagged_above=-999 required=5 tests=[AWL=0.647, BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NmllXIxkHF3u for <dnsext@core3.amsl.com>; Sun, 27 Feb 2011 07:18:00 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [64.57.183.53]) by core3.amsl.com (Postfix) with ESMTP id B8BE03A69FE for <dnsext@ietf.org>; Sun, 27 Feb 2011 07:17:59 -0800 (PST)
Received: (qmail 64685 invoked from network); 27 Feb 2011 15:18:56 -0000
Received: from mail1.iecc.com (64.57.183.56) by mail1.iecc.com with QMQP; 27 Feb 2011 15:18:56 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:cc:mime-version:content-type:content-transfer-encoding:vbr-info; s=17df.4d6a6b60.k1102; i=johnl@user.iecc.com; bh=jVaa+W6J/SIOGMkKZNjyxfbM2Btuh5/cf+wpBYW3WzA=; b=rNIiJfaMTfkywKcYnJbo4duWga+bv1Vy301KI0GOAw/knmCb10m1a+jF/70zc9CdnO0n5BSEPPwUYlTbLX/Cx9WeSq+HpwM3GVIZcDmWbMJddAAAxH2ZR2trZSfqYvLeM1sTCGfQ86CMswh4gS1t+sFPeXO9a9KS229/C07VlSc=
VBR-Info: md=iecc.com; mc=all; mv=dwl.spamhaus.org
Date: Sun, 27 Feb 2011 15:18:56 -0000
Message-ID: <20110227151856.6110.qmail@joyce.lan>
From: John Levine <johnl@iecc.com>
To: dnsext@ietf.org
In-Reply-To: <AANLkTim24j3cTV6E3bc78P2xsKoDTKQQNJ6dCe6jjKq+@mail.gmail.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 7bit
Subject: Re: [dnsext] slave signing, was does making names the same NEED protocol changes at all?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Feb 2011 15:18:01 -0000

>1) How is key publication going to be effected for rDNS-SEC?
>
>Have we actually got a plan for deployment?

As far as I can tell, we don't have a plan for deployment of rDNS on
IPv6, with or without DNSSEC.  But like I said, I'd rather leave those
worms in the can other than to note that dynamic generation and
presumably signing of AAAA and PTR records may turn out to be one of
the least bad options.

We don't have a plan for IPv6 DNSBLs and DNSWLs either, but if it
ends up being anything like what people do for IPv4 (an open question,
due to DNS cache explosion problems) rbldnsd is going to have to sign
on the fly, too.

R's,
John