Re: comments on ds-13
Ólafur Guðmundsson <ogud@ogud.com> Tue, 11 March 2003 20:04 UTC
From: Ólafur Guðmundsson <ogud@ogud.com>
Subject: Re: comments on ds-13
Date: Tue, 11 Mar 2003 15:04:38 -0500
Lines: 58
Sender: owner-namedroppers@ops.ietf.org
References: <20030311175746.C0D55379E40@as.vix.com>
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
X-From: owner-namedroppers@ops.ietf.org Tue Mar 11 21:42:35 2003
Return-path: <owner-namedroppers@ops.ietf.org>
In-reply-to: <20030311175746.C0D55379E40@as.vix.com>
X-Sender: post@localhost
To: Paul Vixie <paul@vix.com>, namedroppers@ops.ietf.org
X-Mailer: QUALCOMM Windows Eudora Version 5.1.1
Precedence: bulk
X-Message-ID:
Message-ID: <20140418071707.2560.56960.ARCHIVE@ietfa.amsl.com>
At 12:57 2003-03-11, Paul Vixie wrote:
>olafur, you wrote (in draft-ietf-dnsext-delegation-signer-13.txt),
>
> >> DS RRsets MUST NOT appear at non-delegation points or at a zone's apex.
>
>why not? i think you can say they are irrelevant elsewhere, but i don't
>think there's a way to show that they are in any way harmful elsewhere.
Well the record is called "Delegation Signer".
IMHO this is a record for DNS consumption, and only for DNS, it
makes limited sense to have DS record at non delegation points
within the context of current DNSSEC specification.
In addition there are DS rules specify that it resides on
the upper side of delegation.
Does allowing DS to reside at normal node require more special cases?
If someone figures out other uses for the DS concept that is not
related to standard DNSSEC, lets define a new record for that.
If the new usage is to somehow improve/add on DNSSEC then the
use of DS should be considered.
>as a simple document quality issue, there is no way to enforce this
>requirement and no reliable way to even know when it has been violated.
>so at best it would be a SHOULD not a MUST.
This is a real good argument, and I would be happy to make the change
base on this, if the working group says so.
>however, even as a SHOULD, it overreaches. the proper attitude of a
>document toward its protocol is to specify things which, if left
>unspecified, will lead to loss of interoperability or functionality.
>there is no such argument to be made for restricting the placement of
>DS RRs (or for restricting the use of KEYs for that matter.)
Remember the name and purpose of the record.
Key on the other hand can be assigned to hosts for dynamic update purposes
thus KEY is not restricted to APEX only.
IFF KEY was restricted to DNSSEC zone signing only then restricting it
to the apex would make sense.
Olafur
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
- comments on ds-13 Paul Vixie
- Re: comments on ds-13 Ólafur Guðmundsson
- Re: comments on ds-13 Olafur Gudmundsson