Re: DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?
Derek Atkins <warlord@MIT.EDU> Wed, 09 April 2003 20:52 UTC
From: Derek Atkins <warlord@MIT.EDU>
Subject: Re: DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?
Date: Wed, 09 Apr 2003 16:52:50 -0400
Lines: 97
Sender: owner-namedroppers@ops.ietf.org
References: <20030331132915.GA2912@atoom.net> <20030409015556.6CF3B18ED@thrintun.hactrn.net> <20030409030333.E8E6518ED@thrintun.hactrn.net> <20030409200750.440EC18E6@thrintun.hactrn.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: namedroppers@ops.ietf.org
X-From: owner-namedroppers@ops.ietf.org Wed Apr 09 23:19:13 2003
Return-path: <owner-namedroppers@ops.ietf.org>
To: Rob Austein <sra+namedroppers@hactrn.net>
In-Reply-To: <20030409200750.440EC18E6@thrintun.hactrn.net>
Lines: 91
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1
Precedence: bulk
X-Message-ID:
Message-ID: <20140418071715.2560.54695.ARCHIVE@ietfa.amsl.com>
Effectively what you are saying is that you want to store a hash of the trusted key rather than the key itself. I'm not sure what I think about this. On the face of it, it should work just fine. However you're now trusting the hash algorithm to root your key. -derek Rob Austein <sra+namedroppers@hactrn.net> writes: > DNSSECbis Q-07: > > Should the DNSSECbis documents discuss use of preconfigured trusted > DSs in addition to to preconfigured trusted KEYs? > > Discussion: > > As currently written, the DNSSECbis documents (specifically, > -protocol) only talk about how to establish a chain of trust > starting with preconfigured trusted keys. At least one member of > the dnssec-editors team believes that this is just an oversight, > since section 2.4.1 of -delegation-signer-13 specifically mentions > the possibility of using DS RRs as a means of listing trusted keys > in configuration files. > > Message from the DNSOP WG mailing list attached below for context. > > Miek has kindly volunteered to work with the editors on wording. > > > --[[message/rfc822] > Date: Tue, 08 Apr 2003 21:55:56 -0400 > From: Rob Austein <sra+dnsop@hactrn.net> > To: dnsop@cafax.se > Subject: Re: preconfigured keys or ds's > References: <20030331132915.GA2912@atoom.net> > MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi") > Content-Type: text/plain; charset=US-ASCII > Message-Id: <20030409015556.6CF3B18ED@thrintun.hactrn.net> > > At Mon, 31 Mar 2003 15:29:15 +0200, Miek Gieben wrote: > > > > I would like to see the following documented, but I don't know for sure > > if it is a dnssec or dnsop issue: > > > > The preconfigured keys for resolvers are large and are hard to compare > > and read (by humans). DS records on the other hand are much smaller > > and easier to handle. I think it would be better to preconfigure > > DS records in stead of zone keys for resolvers. This is also how > > my perl resolver works. > > <hat dnsop-wg-co-chair=off dnssec-editors-team-member=off> > > This sounds like a reasonable implementation choice. > > </hat> > > > Where to put this? In the dnssec drafts or in a seperate dnsop BCP? > > <hat dnsop-wg-co-chair=off dnssec-editors-team-member=on> > > The current DNSSECbis drafts don't talk about using trusted DS RRs > as a starting point, only trusted KEYs. Given the last paragraph of > section 2.4.1 of draft-ietf-dnsext-delegation-signer-13.txt, this > looks like an oversight (probably mine, since I was probably the > last person to work on the relevant text in the DNSSECbis drafts). > > So the DNSSECbis spec needs fixing, and I don't expect anybody to > argue against the fix, but for process reasons it'd be best to post > an explanation to namedroppers first, so I'll do that. > > </hat> > > <hat dnsop-wg-co-chair=on dnssec-editors-team-member=off> > > Because of the above, at least part of this is a DNSEXT issue. > > </hat> > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: <http://ops.ietf.org/lists/namedroppers/> -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- DNSSECbis Q-07: Discuss preconfigured trusted DSs… Rob Austein
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Rob Austein
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Olaf M. Kolkman
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Ólafur Guðmundsson
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Scott Rose
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis