Re: [DNSOP] draft-hardaker-dnsop-csync-00.txt versus draft-kumari-ogud-dnsop-cds-02.txt
Wes Hardaker <wjhns1@hardakers.net> Wed, 03 July 2013 16:02 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 339F911E81CA for <dnsop@ietfa.amsl.com>; Wed, 3 Jul 2013 09:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2Fh5OTyOU+M for <dnsop@ietfa.amsl.com>; Wed, 3 Jul 2013 09:02:18 -0700 (PDT)
Received: from mail.hardakers.net (dawn.hardakers.net [IPv6:2001:470:1f00:187::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3319011E81E4 for <dnsop@ietf.org>; Wed, 3 Jul 2013 09:01:52 -0700 (PDT)
Received: from localhost (unknown [IPv6:2001:470:1f00:187:48d8:a8e1:e3ed:504b]) by mail.hardakers.net (Postfix) with ESMTPSA id 6F4482BC51; Wed, 3 Jul 2013 09:01:51 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Antoin Verschuren <Antoin.Verschuren@sidn.nl>
References: <20130617165829.2638.88322.idtracker@ietfa.amsl.com> <DD7454F5-6B16-4EBA-A380-C51E2302E5E9@kumari.net> <2310CDA9-DFB9-4F57-8DB1-F18B7B5F6874@kumari.net> <ED84A6DE40A3EE48BFB5CEC46D007D9655586F27@kambx2.SIDN.local>
Date: Wed, 03 Jul 2013 09:01:50 -0700
In-Reply-To: <ED84A6DE40A3EE48BFB5CEC46D007D9655586F27@kambx2.SIDN.local> (Antoin Verschuren's message of "Mon, 1 Jul 2013 15:16:50 +0000")
Message-ID: <0lmwq3hbtd.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] draft-hardaker-dnsop-csync-00.txt versus draft-kumari-ogud-dnsop-cds-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2013 16:02:19 -0000
Antoin Verschuren <Antoin.Verschuren@sidn.nl> writes: > In simple words, what do I do as a parent (or parental agent) when I > recieve information over the DNS that conflicts with data I receive > over the administrative channel. Which data should I follow. Well, ordering really matters for that, right? I mean there are two choices: 1) I detect a change in DNS data and then receive an operational change via HTTP or some other mechanism. In this case, I think it's fairly clear that the out-of-band HTTP configuration should always supersede. 2) I receive the HTTP request and then notice a DNS change. This case also looks fairly straight forward (but keep reading), as clearly you act on the HTTP request and then a second request (via DNS) comes in second. So you act then on it. The only problem with this approach is when an admin really isn't thinking, publishing something in DNS to make a change, realizes he wants to act immediately and publishes something through the HTTP form interface that *conflicts* with the DNS publish. The HTTP poke goes through immediately, because it's client initiated, so the DNS pull from the parent could come *after* the http submission even though it was published first. If the admin failed to revoke the DNS CSYNC (or whatever) request when in the process of updating over http, that's a mistake on their part (if it conflicts at least). I'd argue that we shouldn't worry about solving this case, as it's clearly a publication of conflict of information. We could warn against it in the operational guidance section though. > It was stated that when a parent is requesting DNSKEY instead of DS, > and the parent calculates the DS, the disadvantage is that the child > cannot choose the digest algorithm. You're right the parent can offer static preferences configured elsewhere. But it's not done in-band. There are rumors (which I haven't verified) that some parents dictate what algorithms they use and the child has no choice. I'm sure there are others that have a set of checkboxes, which lets the child configure the parent's engine too. (and many more parents, of course, allow for DS uploading leaving everything in the hands of the child). > I fail to see how publishing a DS in a CDS record for your standby key > is much more safer from publishing the DNSKEY of your standby key. I agree with you, assuming you can publish your DNSKEY as a separate record (or else people may read it, cache it, memorize it, run tests with it, etc). But no matter how much I agree with you it won't stop others from wanting an oxymoron: "the private public key". -- Wes Hardaker Parsons
- [DNSOP] Fwd: New Version Notification for draft-k… Warren Kumari
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Wes Hardaker
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] New Version Notification for draft-ku… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-ku… Edward Lewis
- Re: [DNSOP] New Version Notification for draft-ku… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-ku… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-ku… Matthijs Mekking
- Re: [DNSOP] New Version Notification for draft-ku… Warren Kumari
- [DNSOP] draft-hardaker-dnsop-csync-00.txt versus … Antoin Verschuren
- Re: [DNSOP] draft-hardaker-dnsop-csync-00.txt ver… Wes Hardaker
- Re: [DNSOP] New Version Notification for draft-ku… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-ku… John Dickinson
- Re: [DNSOP] New Version Notification for draft-ku… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-ku… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-ku… Dickson, Brian
- Re: [DNSOP] New Version Notification for draft-ku… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-ku… Andrew Sullivan
- Re: [DNSOP] New Version Notification for draft-ku… Antoin Verschuren
- Re: [DNSOP] New Version Notification for draft-ku… Antoin Verschuren
- Re: [DNSOP] New Version Notification for draft-ku… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-ku… Antoin Verschuren
- Re: [DNSOP] New Version Notification for draft-ku… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-ku… Dickson, Brian
- Re: [DNSOP] New Version Notification for draft-ku… Edward Lewis
- Re: [DNSOP] New Version Notification for draft-ku… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-ku… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-ku… Antoin Verschuren
- Re: [DNSOP] New Version Notification for draft-ku… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-ku… John Dickinson
- Re: [DNSOP] New Version Notification for draft-ku… Jim Lahey
- Re: [DNSOP] New Version Notification for draft-ku… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-ku… Tim Wicinski