Re: [DNSOP] how to delete obsolete DS for obsolete DNSKEY using CDS/CDNSKEY

Joe Abley <jabley@hopcount.ca> Fri, 07 February 2014 19:56 UTC

Content-Type: multipart/signed; boundary="Apple-Mail=_F7624359-B49E-45E6-B0BB-F97198D97BB6"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CAHw9_iLw6+php0bNg4UTm0z2Xf8Luzbx-TRC8xxZBKvGcgz+ew@mail.gmail.com>
Date: Fri, 07 Feb 2014 14:56:24 -0500
Message-Id: <3F1E65D0-BD09-4465-8D94-EB601420C07B@hopcount.ca>
References: <CAJE_bqe95pn8rHvK3UffPDn+_rGYiq2G5sfdgqisH4JG7gFjBA@mail.gmail.com> <CAHw9_i+Jt4Ok+CddheGT_nA=e4srgbUSQy98GeQ9qGn_Cncjag@mail.gmail.com> <52F52215.9090709@dougbarton.us> <CAHw9_i+Aanz5NZVO5Q_x=1zyFzHZSmeU6yoLx3cDkwD2sC-XMA@mail.gmail.com> <52F52386.4070305@dougbarton.us> <0D3FD7ED-0A92-4B8E-9619-2B7D84013DD6@hopcount.ca> <CAHw9_iLw6+php0bNg4UTm0z2Xf8Luzbx-TRC8xxZBKvGcgz+ew@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] how to delete obsolete DS for obsolete DNSKEY using CDS/CDNSKEY
Precedence: list

On 2014-02-07, at 14:22, Warren Kumari <warren@kumari.net> wrote:

> On Fri, Feb 7, 2014 at 2:12 PM, Joe Abley <jabley@hopcount.ca> wrote:
> 
>> On 2014-02-07, at 13:18, Doug Barton <dougb@dougbarton.us> wrote:
>> 
>>> On 02/07/2014 10:14 AM, Warren Kumari wrote:
>>> 
>>>> We are not allowing zones to go from unsigned to signed:
>>> 
>>> Right, and because it says not to do it in the RFC no one is going to do it? :)
>> 
>> I don't see how it would work. The parental agent has no automated way to trust the C* RRSets published in a zone with no secure delegation from its parent.
> 
> No no no... You don't see how it would work *securely*.

Fair enough. I had taken that as a given, but you're right, it makes sense to spell it out.


Joe

Attachment: signature.asc

[DNSOP] how to delete obsolete DS for obsolete DN… 神明達哉
Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
Re: [DNSOP] how to delete obsolete DS for obsolet… Tony Finch
Re: [DNSOP] how to delete obsolete DS for obsolet… 神明達哉
Re: [DNSOP] how to delete obsolete DS for obsolet… Doug Barton
Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
Re: [DNSOP] how to delete obsolete DS for obsolet… Doug Barton
Re: [DNSOP] how to delete obsolete DS for obsolet… Olafur Gudmundsson
[DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Mukund Sivaraman
Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
Re: [DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Joe Abley
Re: [DNSOP] how to delete obsolete DS for obsolet… Joe Abley
Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
Re: [DNSOP] how to delete obsolete DS for obsolet… Joe Abley
Re: [DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Paul Wouters
Re: [DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Olafur Gudmundsson
Re: [DNSOP] how to delete obsolete DS for obsolet… JINMEI Tatuya / 神明達哉
Re: [DNSOP] how to delete obsolete DS for obsolet… JINMEI Tatuya / 神明達哉

Re: [DNSOP] how to delete obsolete DS for obsolete DNSKEY using CDS/CDNSKEY

Attachment: signature.asc