RE: [dnsop] Question on key rollover requirement
"Scott Hollenbeck" <sah@428cobrajet.net> Tue, 14 September 2004 19:04 UTC
Received: from darkwing.uoregon.edu (root@darkwing.uoregon.edu [128.223.142.13]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA04724 for <dnsop-archive@lists.ietf.org>; Tue, 14 Sep 2004 15:04:46 -0400 (EDT)
Received: from darkwing.uoregon.edu (majordom@localhost [127.0.0.1]) by darkwing.uoregon.edu (8.12.11/8.12.11) with ESMTP id i8EHgJqH024115; Tue, 14 Sep 2004 10:42:19 -0700 (PDT)
Received: (from majordom@localhost) by darkwing.uoregon.edu (8.12.11/8.12.11/Submit) id i8EHgJLi024113; Tue, 14 Sep 2004 10:42:19 -0700 (PDT)
Received: from mail.verisignlabs.com (cliffie.verisignlabs.com [65.201.175.9]) by darkwing.uoregon.edu (8.12.11/8.12.11) with ESMTP id i8EHgH6u023898 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for <dnsop@lists.uoregon.edu>; Tue, 14 Sep 2004 10:42:18 -0700 (PDT)
Received: from dul1shollenbl1 ([::ffff:216.168.239.87]) (AUTH: LOGIN shollenb, SSL: TLSv1/SSLv3,128bits,RC4-MD5) by mail.verisignlabs.com with esmtp; Tue, 14 Sep 2004 13:42:12 -0400 id 003C810C.41472D74.0000046D
From: Scott Hollenbeck <sah@428cobrajet.net>
To: 'Gilles Guette' <gguette@irisa.fr>, 'dnsop' <dnsop@lists.uoregon.edu>
Subject: RE: [dnsop] Question on key rollover requirement
Date: Tue, 14 Sep 2004 13:41:44 -0400
Message-ID: <5BEA6CDB196A4241B8BE129D309AA4AF02E0F8C5@vsvapostal8.vcorp.ad.vrsn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
In-Reply-To: <414700CB.8070909@irisa.fr>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by darkwing.uoregon.edu id i8EHgI6t024101
Sender: owner-dnsop@lists.uoregon.edu
Precedence: bulk
Reply-To: Scott Hollenbeck <sah@428cobrajet.net>
Content-Transfer-Encoding: 8bit
> -----Original Message----- > From: Gilles Guette [mailto:gguette@irisa.fr] > Sent: Tuesday, September 14, 2004 10:32 AM > To: dnsop > Subject: [dnsop] Question on key rollover requirement > > > Hello, > > In the draft draft-ietf-dnsop-key-rollover-requirements-01.txt > we define requirements for automated key rollover between parent and > child zones. > > In section 4, we propose to use only DNSSEC mechanisms to secure > exchanged data between parent and child zones. Recent > comments from Olaf suggest to use another mechanism. > > I think the first question is: > Do the requirements include the choice of the mechanism used > to secure key exchanged between parent and child zones? From my (admittedly biased*) perspective, yes, more than one method should be available. Some name server operators have to disallow certain update and query features of the DNS protocol because the additional load on the servers can have an adverse impact on "normal" query-response performance. Exchanging dnssec data in-band is likely to fall into the same category of operations. I thus believe there are benefits to having other methods available for parent-child communications. > If the answer is yes, there are several choices: > > DNSSEC only: motivation to use only DNSSEC mechanism is to keep > the automatic key rollover process independant from other protocol. > > Using IPsec to secure communications. > Using EPP. > ... > > We think that comments and discussions about this point are > needed to > enlightened pros and cons of each choice. EPP is a definite possibility for those zone administrators who happen to be using it for other related data provisioning services. It won't be the right answer for everyone, but I believe it makes sense to use this channel if the infrastructure to support it is already in place. -Scott- * I am the author of an EPP-based mechanism for parent-child data exchange. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
- [dnsop] Question on key rollover requirement Gilles Guette
- RE: [dnsop] Question on key rollover requirement Scott Hollenbeck