Chris, Thanks for your comments.
----- Original Message ----- From: "Chris Thompson" <c...@cam.ac.uk> To: "George Barwood" <george.barw...@blueyonder.co.uk> Cc: <dnsop@ietf.org> Sent: Saturday, May 22, 2010 8:07 PM Subject: Re: [DNSOP] KSK rollover > On May 22 2010, George Barwood wrote: > >>Well, I have uploaded a draft : >> >>http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-00.txt >> >>Comments and/or indications of support are of course welome, on or off list. > > Section 3: > > | The CDS record MUST be signed with a Key Signing Key, that is a key > | for which there is a DS record. > > (a) That's a new definition of "key signing key", I think. RFC3757 comes > closest with KSK = key with SEP bit = "which DNSKEYs are to be sent > for *generating* DS RRs" (my emphasis), but I take it you mean a key > for which a DS record *already* exists. Ok - so I guess I should just possibly say simply: "The CDS record MUST be signed with a key for which there is a DS record." > (b) Why? Why shouldn't a chain of trust through (say) a KSK and a ZSK > be enough? Insisting on a one-step chain seems contrary to the > spirit, at least, of RFC 4034 section 2.1.1. My reasoning is that (i) Zone signing keys are used more frequently than a KSK, since they are needed whenever the zone content changes ( in particular if dynamic update is supported, the ZSK must be kept online ). Therefore Zone signing keys are more exposed to compromise. They also tend to be shorter, and are therefore possibly easier to crack. (ii) The CDS record is not verified during normal operation, so any cost associated with the longer signature does not matter. (iii) My intuition suggests that access to a Zone signing key should not give permission to update the CDS RRset. This reasoning may not hold up under closer scrutiny, it's just my take on it ( and as the acknowledgments mention, I received a hint on this from Olafur Gudmundsson - maybe he has better insight into this )). Re RFC 4034, section 2.1.1 : isn't that simply saying that "all" keys have Bit 7 set in the flags field? Both Zone Signing Keys and Key Signing Keys are "Zone keys", inasmuch as they are used to verify RRSIGs. [ By "all" I mean all DNSSEC keys that we use today ] Regards, George > -- > Chris Thompson University of Cambridge Computing Service, > Email: c...@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH, > Phone: +44 1223 334715 United Kingdom. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
