[DNSOP] DS placement

Paul Vixie <paul@redbarn.org> Tue, 28 March 2017 18:00 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 9A02E129471 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 11:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id uqPyiNSj5d4c for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 11:00:31 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FF911294D2 for <dnsop@ietf.org>; Tue, 28 Mar 2017 11:00:30 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:50e4:c235:dee1:8442] (unknown [IPv6:2001:559:8000:c9:50e4:c235:dee1:8442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 14DF061F9C for <dnsop@ietf.org>; Tue, 28 Mar 2017 18:00:30 +0000 (UTC)
Message-ID: <58DAA4BC.2050005@redbarn.org>
Date: Tue, 28 Mar 2017 11:00:28 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.12 (Windows/20170323)
MIME-Version: 1.0
To: "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/arjoVK7nX8ffsjumNnGvKgZmgvU>
Subject: [DNSOP] DS placement
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 18:00:33 -0000

Paul Vixie wrote:
> i got underscores wrong in SRV. it may be that we should not follow that
> track at all.
> ...

this reminds me of the following related topic.

had SRV done underscores correctly, then the placement of DS would have
been more obvious. right now it's at the delegation point, which was
seen as the only way to make it part of the delegating zone. it's not.

if the vix.su DS could have been placed at vix._dnssec.su, where _dnssec
was an in-zone (non-delegated) label, then the middlebox RDNS servers
who do not know (and will never know) to forward DS queries to the
delegater not the delegated, would not be slowing dnssec deployment.

some of you heard me talk about this as "the cousins solution" years ago.

P Vixie