Re: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt
"Dickson, Brian" <bdickson@verisign.com> Tue, 09 July 2013 23:06 UTC
Return-Path: <bdickson@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCE8511E8195 for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2013 16:06:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.549
X-Spam-Level:
X-Spam-Status: No, score=-6.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fzsb7YnHoqTZ for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2013 16:06:19 -0700 (PDT)
Received: from exprod6og127.obsmtp.com (exprod6og127.obsmtp.com [64.18.1.78]) by ietfa.amsl.com (Postfix) with ESMTP id DD1CD11E80C5 for <dnsop@ietf.org>; Tue, 9 Jul 2013 16:06:17 -0700 (PDT)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob127.postini.com ([64.18.5.12]) with SMTP ID DSNKUdyXaSZ76pHLN03W4fPK3H5GPpoFw8Ui@postini.com; Tue, 09 Jul 2013 16:06:18 PDT
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02.vcorp.ad.vrsn.com [10.173.152.206]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id r69N6Cm5008918 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 9 Jul 2013 19:06:12 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0342.003; Tue, 9 Jul 2013 19:06:12 -0400
From: "Dickson, Brian" <bdickson@verisign.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt
Thread-Index: AQHOfAvuWrMAm5DHG0e1RfsSfo7aNZlb1WYAgAEkTgA=
Date: Tue, 09 Jul 2013 23:06:11 +0000
Message-ID: <CE020CA5.B81E%bdickson@verisign.com>
In-Reply-To: <20130709013958.GD20597@mx1.yitter.info>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <A6C6C4827C29824FB21551CAC24D646B@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2013 23:06:25 -0000
On 7/8/13 9:39 PM, "Andrew Sullivan" <ajs@anvilwalrusden.com> wrote: >On Mon, Jul 08, 2013 at 06:49:53PM +0000, Dickson, Brian wrote: >> >> Thoughts? > >My immediate thought is, "What problem is this trying to solve?" Automating NS changes on the parent side, via child-signed-and-signalled in-zone data. If the CDS keys are needed for a change of DNS provider, it implies a new NS set on the parent (as well as the apex of the child). E.g. if someone needs to move a bunch of domains from one set of name servers to a different set, tools are likely better than doing it manually. CDS addresses the DS/DNSKEY part, but leaves the NS part unchanged. It's a problem which I presume exists or might exist, which goes along with the CDS problem: how do you automate "X", where "X" is currently done via web form? ("Automate" might merely be "integrate into a provisioning system"). I don't know if the problem actually exists, so until someone says, "Yeah, it is a problem", it is probably premature. It would really only make sense (or add value) if the domains were already DNSSEC delegations, and already doing CDS. If the key roll is being prompted by NS changes, then tying (loosely or tightly) the NS move with the CDS change, then the process reduces the probability of resolution breaking for any of the bunch. It would make sense basically only if the "PNS" RRset was signed, and would provide cryptographic protection on it, allowing for an in-band method of changing the NS on the parent side. It's not necessary, merely a convenience, or a way of facilitating better provisioning tools. Brian
- [DNSOP] Fwd: New Version Notification for draft-k… Warren Kumari
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Wes Hardaker
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] New Version Notification for draft-ku… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-ku… Edward Lewis
- Re: [DNSOP] New Version Notification for draft-ku… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-ku… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-ku… Matthijs Mekking
- Re: [DNSOP] New Version Notification for draft-ku… Warren Kumari
- [DNSOP] draft-hardaker-dnsop-csync-00.txt versus … Antoin Verschuren
- Re: [DNSOP] draft-hardaker-dnsop-csync-00.txt ver… Wes Hardaker
- Re: [DNSOP] New Version Notification for draft-ku… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-ku… John Dickinson
- Re: [DNSOP] New Version Notification for draft-ku… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-ku… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-ku… Dickson, Brian
- Re: [DNSOP] New Version Notification for draft-ku… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-ku… Andrew Sullivan
- Re: [DNSOP] New Version Notification for draft-ku… Antoin Verschuren
- Re: [DNSOP] New Version Notification for draft-ku… Antoin Verschuren
- Re: [DNSOP] New Version Notification for draft-ku… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-ku… Antoin Verschuren
- Re: [DNSOP] New Version Notification for draft-ku… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-ku… Dickson, Brian
- Re: [DNSOP] New Version Notification for draft-ku… Edward Lewis
- Re: [DNSOP] New Version Notification for draft-ku… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-ku… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-ku… Antoin Verschuren
- Re: [DNSOP] New Version Notification for draft-ku… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-ku… John Dickinson
- Re: [DNSOP] New Version Notification for draft-ku… Jim Lahey
- Re: [DNSOP] New Version Notification for draft-ku… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-ku… Tim Wicinski