DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?
Rob Austein <sra+namedroppers@hactrn.net> Wed, 09 April 2003 20:07 UTC
From: Rob Austein <sra+namedroppers@hactrn.net>
Subject: DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?
Date: Wed, 09 Apr 2003 16:07:50 -0400
Lines: 74
Sender: owner-namedroppers@ops.ietf.org
References: <20030331132915.GA2912@atoom.net> <20030409015556.6CF3B18ED@thrintun.hactrn.net> <20030409030333.E8E6518ED@thrintun.hactrn.net>
Mime-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi")
Content-Type: text/plain; charset="US-ASCII"
X-From: owner-namedroppers@ops.ietf.org Wed Apr 09 22:32:49 2003
Return-path: <owner-namedroppers@ops.ietf.org>
To: namedroppers@ops.ietf.org
User-Agent: Wanderlust/2.8.1 (Something) Emacs/20.7 Mule/4.0 (HANANOEN)
Precedence: bulk
X-Message-ID:
Message-ID: <20140418071715.2560.56807.ARCHIVE@ietfa.amsl.com>
DNSSECbis Q-07: Should the DNSSECbis documents discuss use of preconfigured trusted DSs in addition to to preconfigured trusted KEYs? Discussion: As currently written, the DNSSECbis documents (specifically, -protocol) only talk about how to establish a chain of trust starting with preconfigured trusted keys. At least one member of the dnssec-editors team believes that this is just an oversight, since section 2.4.1 of -delegation-signer-13 specifically mentions the possibility of using DS RRs as a means of listing trusted keys in configuration files. Message from the DNSOP WG mailing list attached below for context. Miek has kindly volunteered to work with the editors on wording. --[[message/rfc822] Date: Tue, 08 Apr 2003 21:55:56 -0400 From: Rob Austein <sra+dnsop@hactrn.net> To: dnsop@cafax.se Subject: Re: preconfigured keys or ds's References: <20030331132915.GA2912@atoom.net> MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi") Content-Type: text/plain; charset=US-ASCII Message-Id: <20030409015556.6CF3B18ED@thrintun.hactrn.net> At Mon, 31 Mar 2003 15:29:15 +0200, Miek Gieben wrote: > > I would like to see the following documented, but I don't know for sure > if it is a dnssec or dnsop issue: > > The preconfigured keys for resolvers are large and are hard to compare > and read (by humans). DS records on the other hand are much smaller > and easier to handle. I think it would be better to preconfigure > DS records in stead of zone keys for resolvers. This is also how > my perl resolver works. <hat dnsop-wg-co-chair=off dnssec-editors-team-member=off> This sounds like a reasonable implementation choice. </hat> > Where to put this? In the dnssec drafts or in a seperate dnsop BCP? <hat dnsop-wg-co-chair=off dnssec-editors-team-member=on> The current DNSSECbis drafts don't talk about using trusted DS RRs as a starting point, only trusted KEYs. Given the last paragraph of section 2.4.1 of draft-ietf-dnsext-delegation-signer-13.txt, this looks like an oversight (probably mine, since I was probably the last person to work on the relevant text in the DNSSECbis drafts). So the DNSSECbis spec needs fixing, and I don't expect anybody to argue against the fix, but for process reasons it'd be best to post an explanation to namedroppers first, so I'll do that. </hat> <hat dnsop-wg-co-chair=on dnssec-editors-team-member=off> Because of the above, at least part of this is a DNSEXT issue. </hat> -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- DNSSECbis Q-07: Discuss preconfigured trusted DSs… Rob Austein
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Rob Austein
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Olaf M. Kolkman
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Ólafur Guðmundsson
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Scott Rose
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Edward Lewis