Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

Fredrik Ljunggren <> Thu, 19 July 2012 07:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 214FE21F8678 for <>; Thu, 19 Jul 2012 00:41:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.698
X-Spam-Status: No, score=-0.698 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_SE=0.35, RDNS_NONE=0.1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id stbN12w1NCfy for <>; Thu, 19 Jul 2012 00:41:29 -0700 (PDT)
Received: from ( [IPv6:2001:67c:394:15::9]) by (Postfix) with ESMTP id EC6CB21F862F for <>; Thu, 19 Jul 2012 00:41:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=spg20100524; h=received:subject:mime-version:content-type:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer; bh=FmFG1ZRnafaCZO56ZjDuyiZI2Py2+Md3jXH6H3wb+Ns=; b=xo4cMRD2uuxkHWBjiovv15tFs6V96r+udEAvXLwxCmffVKVWfGyqP60F4/QP2jWgJtp/Ekh8RsugK OtxgINDEObxJcLZX4gy+IBpiHH7ipzKAph/cFsc8THQ3zR09bauEFFYruuXj/cTwJp9457bOJk/pnx ovCAxOMswWQP0bhU=
Received: from (unknown []) by (Halon Mail Gateway) with ESMTPS; Thu, 19 Jul 2012 09:42:16 +0200 (CEST)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Fredrik Ljunggren <>
In-Reply-To: <>
Date: Thu, 19 Jul 2012 09:42:11 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <003c01cd6225$6f4cab60$4de60220$> <> <> <>
To: Russ Housley <>
X-Mailer: Apple Mail (2.1278)
X-Mailman-Approved-At: Thu, 19 Jul 2012 05:39:44 -0700
Cc:,, Joe Abley <>,
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Jul 2012 07:41:30 -0000

On 2012-07-18, at 01:06, Russ Housley wrote:

> I think you missed my point.  In a PKI, when the issuer significantly changes the policy, subsequent certificates have a different policy identifier.  I do not see a similar concept here.

Russ, you are right. There is no such concept in DNSSEC (yet). Simply by looking at the signed data, there is no way of determining under what policy the data has been signed. Interested parties must stay informed using the process specified in section 1.4.3 (Specification change procedures) of the DPS.

Generally speaking, DNSSEC signatures are short-lived. From the time a new policy is in effect, old signatures will be flushed out within days. However, if there are significant changes made to the policy which materially affect the security posture of the zone, there may be several reasons to roll the signing key(s) and to indicate this in the DPS. This way, the validating party will be able to determine under what policy a signature has been generated, and act accordingly.

- Fredrik