Re: [keyassure] Asserting DANE exclusivity for an entire domain

Olafur Gudmundsson <ogud@ogud.com> Mon, 28 March 2011 12:55 UTC

Message-ID: <4D908590.5020302@ogud.com>
Date: Mon, 28 Mar 2011 08:56:48 -0400
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: keyassure@ietf.org
References: <1296575340.1888.27.camel@mattlaptop2.local> <4D49178F.9060308@nic.cz> <1296657079.1889.8.camel@mattlaptop2.local> <m3lj1ykvav.fsf@jhcloos.com> <1296688716.2621.20.camel@mattlaptop2.local> <m3zkqdhxsm.fsf@jhcloos.com>
In-Reply-To: <m3zkqdhxsm.fsf@jhcloos.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [keyassure] Asserting DANE exclusivity for an entire domain
Precedence: list

On 03/02/2011 11:45 AM, James Cloos wrote:
>>>>>> "MM" == Matt McCutchen<matt@mattmccutchen.net>  writes:
>
>>> Since we rely on DNSSEC anyway, DS records are the ideal way to
>>> determine zone cut points.  They are grabbed anyway as a matter
>>> of course and provide all the clue required.
>
> MM>  Right... but do DNSSEC client libraries make it easy to access this
> MM>  information without doing a separate query for the DS record?
>
> Even if they do not, the resolver had to grab the DS as part of the
> validation, so the round trip for an extra DS lookup by the end client
> is by definition local, often even same-process.
>
> -JimC

Actually the RRSIG(DTLS) is an even better indicator the zone name ==
signer name, there is no need to look up the DS record from the client.

	Olafur

[keyassure] Asserting DANE exclusivity for an ent… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Nicholas Weaver
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Martin Rex
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Jakob Schlyter
Re: [keyassure] Asserting DANE exclusivity for an… Ondřej Surý
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… James Cloos
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… James Cloos
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Nicholas Weaver
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Mark Andrews
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Martin Rex
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Ilari Liusvaara
Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Ilari Liusvaara
Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
Re: [keyassure] Asserting DANE exclusivity for an… Olafur Gudmundsson