IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notificationfordraft-mekking-dnsop-auto-cpsync-00

"Stephan Lagerholm" <stephan.lagerholm@secure64.com> Wed, 30 June 2010 13:25 UTC

Return-Path: <stephan.lagerholm@secure64.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EBC3828C0D0 for <dnsop@core3.amsl.com>; Wed, 30 Jun 2010 06:25:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xH8xYcTkN5yc for <dnsop@core3.amsl.com>; Wed, 30 Jun 2010 06:25:40 -0700 (PDT)
Received: from mail.secure64.com (mail.secure64.com [66.37.130.20]) by core3.amsl.com (Postfix) with ESMTP id 9A4C33A69B3 for <dnsop@ietf.org>; Wed, 30 Jun 2010 06:25:40 -0700 (PDT)
Received: by mail.secure64.com (Postfix, from userid 65534) id 568DF12578C49; Wed, 30 Jun 2010 07:25:51 -0600 (MDT)
Received: from exchange.secure64.com (exchange.secure64.com [192.168.254.250]) by mail.secure64.com (Postfix) with ESMTP id 202A7C3B1472; Wed, 30 Jun 2010 07:25:50 -0600 (MDT)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Wed, 30 Jun 2010 07:25:48 -0600
Message-ID: <DD056A31A84CFC4AB501BD56D1E14BBB826C10@exchange.secure64.com>
In-Reply-To: <62CC4714954D4674A04FC5F9718E1D89@local>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [DNSOP] Fwd: New Version Notificationfordraft-mekking-dnsop-auto-cpsync-00
Thread-Index: AcsYQFa+mIqnCFN2Qe2OX90sWwqYTAAFdAIg
References: <4C29F2FA.1000907@nlnetlabs.nl> <62CC4714954D4674A04FC5F9718E1D89@local>
From: Stephan Lagerholm <stephan.lagerholm@secure64.com>
To: George Barwood <george.barwood@blueyonder.co.uk>, dnsop@ietf.org
Subject: Re: [DNSOP] Fwd: New Version Notificationfordraft-mekking-dnsop-auto-cpsync-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 13:25:42 -0000

Hi Goerge,

What I like about your approach is the fact that is takes advantage of
DNSSEC. My opinion is that if DNSSEC is so great it would be cool if we
can define an update mechanism that utilizes it. This could be the first
real world application for DNSSEC.

I would encourage some type of notification mechanism so that the parent
doesn't have to poll blindly. Also, why not use a DNSKEY with another
flag to announce the availability of a new key instead of a new RR?
Similar to what RFC5011 is doing for a revoked key.

Thanks, S
----------------------------------------------------------------------
Stephan Lagerholm
Senior DNS Architect, M.Sc. ,CISSP
Secure64 Software Corporation, www.secure64.com
Cell: 469-834-3940
> -----Original Message-----
> From: dnsop-bounces@ietf.org [mailto:dnsop-bounces@ietf.org] On Behalf
Of
> George Barwood
> Sent: Wednesday, June 30, 2010 5:37 AM
> To: Matthijs Mekking; dnsop@ietf.org
> Subject: Re: [DNSOP] Fwd: New Version
Notificationfordraft-mekking-dnsop-
> auto-cpsync-00
> 
> I'd like to encourage some discussion of the relative merits of the
UPDATE
> approach
> 
> http://www.ietf.org/id/draft-mekking-dnsop-auto-cpsync-00.txt
> 
> compared to the publication approach outlined in the recent draft at
> 
> http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-00.txt
> 
> I haven't yet done a well-considered analysis, and maybe this would be
> better
> undertaken by others, but here are some of my immediate thoughts:
> 
> I think the publication approach is somewhat simpler, at least for the
> child zone.
> It's very simple for signing software (including off-line signers) to
> generate the "CDS" RRset.
> Since there are many more child zones than parent zones, this seems
> significant.
> 
> The publication approach leverages the in-built redundancy of DNS
slave
> servers
> for transmitting information, and seems closer to the normal DNS
method of
> operation.
> 
> I also like the ability to simply check whether the parent and child
DS
> RRset
> are properly synchronised.
> 
> I'm a bit doubtful about the complications of setting up additional
secret
> keys for UPDATE.
> 
> Regards,
> George
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email