Re: [DNSOP] Truncation discussion in draft-ietf-dnsop-dnssec-trust-anchor-02

Mon, 09 Mar 2009 21:44:11 -0700 

In message <20090310041254.gb4...@vacation.karoshi.com.>, bmann...@vacation.kar
oshi.com writes:
> On Tue, Mar 10, 2009 at 12:55:51PM +1100, Mark Andrews wrote:
> > 
> > In message <f7c89744-a1ca-4fd6-b793-2f4e337e3...@verisign.com>, David Black
> a wr
> > ites:
> > > 
> > > On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote:
> > > >
> > > >         On a related issue DS -> DNSKEY translations cannot be
> > > >         performed until the DNSKEY is published in the zone.  The
> > > >         use of DS prevents pre-publishing of keys.
> > > 
> > > Huh?  You can generate a DS from the DNSKEY record that you have  
> > > generated but not yet published, so you can pre-publish the DS just as  
> > > soon as you could pre-publish your DNSKEY.  As for actually *using*  
> > > the DS as a trust anchor, you can't use either the DS or the DNSKEY  
> > > prior to actually publishing and *using* the DNSKEY.  Or maybe I just  
> > > don't understand your point.
> > 
> >     When you pre-publish a DS you prevent implementations that
> >     use DNSKEYs from taking advantage of that pre-publication.
> 
>       sounds like an implementation bugll

        draft-ietf-dnsop-dnssec-trust-anchor is unfairly trying to
        restrict what is can be used as a trust anchor.  It is
        retroactively changing the specification.
        
   A security-aware resolver MUST be capable of being configured with at
   least one trusted public key or DS RR and SHOULD be capable of being
   configured with multiple trusted public keys or DS RRs.  Since a
   security-aware resolver will not be able to validate signatures
   without such a configured trust anchor, the resolver SHOULD have some
   reasonably robust mechanism for obtaining such keys when it boots;
   examples of such a mechanism would be some form of non-volatile
   storage (such as a disk drive) or some form of trusted local network
   configuration mechanism.


> --bill
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: mark_andr...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to