On Mar 10 2009, Mark Andrews wrote:
Has anyone on this list ever typed in a DNSKEY or DS as a
trust anchor? I would presume that most (99.9999%) people
would just cut-and-paste or the equivalent. I call "ease
of typing" a unjustifiable justification as no one will be
doing it even for DS records.
I have to agree with that, except that you probably need more 9's.
I will agree that DNSKEY's are harder to compare, but I
believe impossible trumps harder and it is impossible to
convert a DS to a DNSKEY prior to the publication of the
DNSKEY in the DNS. The reverse is not true.
But that's exactly seen as a benefit in section 2 of
draft-ietf-dnsop-dnssec-trust-anchor ("forces priming")
and in previous posts here ("does not expose the KSK to
factorisation attacks during the pre-publication period").
You may consider these nugatory benefits, but perhaps you
should say why.
I admit to a prejudice in favour of DS-shaped trust anchors,
really based on the concept that a trust anchor should be a
certificate "in loco parentis". It fits in with my favourite
spiel about how the root hints "zone" is actually the referral
from Trantor, kept locally only because the RTT to Trantor
is too damn long. On that basis, the trust anchor for the
root zone ought to be the DS record from Trantor.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
