Re: DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?

[Derek Atkins <warlord@MIT.EDU>]

Effectively what you are saying is that you want to store
a hash of the trusted key rather than the key itself.
I'm not sure what I think about this.

On the face of it, it should work just fine.  However
you're now trusting the hash algorithm to root your
key.

-derek

Rob Austein <sra+namedroppers@hactrn.net> writes:

> DNSSECbis Q-07:
> 
>    Should the DNSSECbis documents discuss use of preconfigured trusted
>    DSs in addition to to preconfigured trusted KEYs?
> 
> Discussion:
> 
>    As currently written, the DNSSECbis documents (specifically,
>    -protocol) only talk about how to establish a chain of trust
>    starting with preconfigured trusted keys.  At least one member of
>    the dnssec-editors team believes that this is just an oversight,
>    since section 2.4.1 of -delegation-signer-13 specifically mentions
>    the possibility of using DS RRs as a means of listing trusted keys
>    in configuration files.
> 
>    Message from the DNSOP WG mailing list attached below for context.
> 
>    Miek has kindly volunteered to work with the editors on wording.
> 
> 
> --[[message/rfc822]
> Date: Tue, 08 Apr 2003 21:55:56 -0400
> From: Rob Austein <sra+dnsop@hactrn.net>
> To: dnsop@cafax.se
> Subject: Re: preconfigured keys or ds's
> References: <20030331132915.GA2912@atoom.net>
> MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi")
> Content-Type: text/plain; charset=US-ASCII
> Message-Id: <20030409015556.6CF3B18ED@thrintun.hactrn.net>
> 
> At Mon, 31 Mar 2003 15:29:15 +0200, Miek Gieben wrote:
> > 
> > I would like to see the following documented, but I don't know for sure
> > if it is a dnssec or dnsop issue:
> > 
> > The preconfigured keys for resolvers are large and are hard to compare
> > and read (by humans). DS records on the other hand are much smaller
> > and easier to handle. I think it would be better to preconfigure
> > DS records in stead of zone keys for resolvers. This is also how
> > my perl resolver works.
> 
> <hat dnsop-wg-co-chair=off dnssec-editors-team-member=off>
> 
>   This sounds like a reasonable implementation choice.
> 
> </hat>
> 
> > Where to put this? In the dnssec drafts or in a seperate dnsop BCP?
> 
> <hat dnsop-wg-co-chair=off dnssec-editors-team-member=on>
> 
>   The current DNSSECbis drafts don't talk about using trusted DS RRs
>   as a starting point, only trusted KEYs.  Given the last paragraph of
>   section 2.4.1 of draft-ietf-dnsext-delegation-signer-13.txt, this
>   looks like an oversight (probably mine, since I was probably the
>   last person to work on the relevant text in the DNSSECbis drafts).
> 
>   So the DNSSECbis spec needs fixing, and I don't expect anybody to
>   argue against the fix, but for process reasons it'd be best to post
>   an explanation to namedroppers first, so I'll do that.
> 
> </hat>
> 
> <hat dnsop-wg-co-chair=on dnssec-editors-team-member=off>
> 
>   Because of the above, at least part of this is a DNSEXT issue.
> 
> </hat>
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>