Re: preconfigured keys or ds's
Rob Austein <sra+dnsop@hactrn.net> Wed, 09 April 2003 02:18 UTC
Received: from nic.cafax.se (nic.cafax.se [192.71.228.17]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA12390 for <dnsop-archive@lists.ietf.org>; Tue, 8 Apr 2003 22:18:59 -0400 (EDT)
Received: from nic.cafax.se (localhost [127.0.0.1]) by nic.cafax.se (8.12.9/8.12.9) with ESMTP id h391u3RN001055 for <dnsop-outgoing@nic.cafax.se>; Wed, 9 Apr 2003 03:56:03 +0200 (MEST)
Received: from localhost (localhost [[UNIX: localhost]]) by nic.cafax.se (8.12.9/8.12.9/Submit) id h391u3MX001054 for dnsop-outgoing; Wed, 9 Apr 2003 03:56:03 +0200 (MEST)
X-Authentication-Warning: nic.cafax.se: majordom set sender to owner-dnsop@cafax.se using -f
Received: from thrintun.hactrn.net (dsl092-066-067.bos1.dsl.speakeasy.net [66.92.66.67]) by nic.cafax.se (8.12.9/8.12.9) with ESMTP id h391u2RN001049 for <dnsop@cafax.se>; Wed, 9 Apr 2003 03:56:02 +0200 (MEST)
Received: from thrintun.hactrn.net (localhost [::1]) by thrintun.hactrn.net (Postfix) with ESMTP id 6CF3B18ED; Tue, 8 Apr 2003 21:55:56 -0400 (EDT)
Date: Tue, 08 Apr 2003 21:55:56 -0400
From: Rob Austein <sra+dnsop@hactrn.net>
To: dnsop@cafax.se
Subject: Re: preconfigured keys or ds's
In-Reply-To: <20030331132915.GA2912@atoom.net>
References: <20030331132915.GA2912@atoom.net>
User-Agent: Wanderlust/2.8.1 (Something) Emacs/20.7 Mule/4.0 (HANANOEN)
MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20030409015556.6CF3B18ED@thrintun.hactrn.net>
Sender: owner-dnsop@cafax.se
Precedence: bulk
Almost lost this one under other traffic. At Mon, 31 Mar 2003 15:29:15 +0200, Miek Gieben wrote: > > I would like to see the following documented, but I don't know for sure > if it is a dnssec or dnsop issue: > > The preconfigured keys for resolvers are large and are hard to compare > and read (by humans). DS records on the other hand are much smaller > and easier to handle. I think it would be better to preconfigure > DS records in stead of zone keys for resolvers. This is also how > my perl resolver works. <hat dnsop-wg-co-chair=off dnssec-editors-team-member=off> This sounds like a reasonable implementation choice. </hat> > Where to put this? In the dnssec drafts or in a seperate dnsop BCP? <hat dnsop-wg-co-chair=off dnssec-editors-team-member=on> The current DNSSECbis drafts don't talk about using trusted DS RRs as a starting point, only trusted KEYs. Given the last paragraph of section 2.4.1 of draft-ietf-dnsext-delegation-signer-13.txt, this looks like an oversight (probably mine, since I was probably the last person to work on the relevant text in the DNSSECbis drafts). So the DNSSECbis spec needs fixing, and I don't expect anybody to argue against the fix, but for process reasons it'd be best to post an explanation to namedroppers first, so I'll do that. </hat> <hat dnsop-wg-co-chair=on dnssec-editors-team-member=off> Because of the above, at least part of this is a DNSEXT issue. </hat> #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.
- Re: preconfigured keys or ds's Edward Lewis
- Re: preconfigured keys or ds's Rob Austein