On Jun 12 2011, George Barwood wrote:
I have updated the draft
http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-02.txt
I have added an appendix with an exampler KSK rollover, and made
various generally minor changes.
IANA have now assigned type code 59 for the CDS RRtype.
I'd like to request that the WG adopt this document.
While everyone else is discussing policy issues, can I raise a
technical one?
| The CDS record MUST be signed with a key that has the Secure Entry
| Point flag set.
[...]
| The parent zone SHOULD check that the signing key(s) have the Secure
| Entry Point flag set.
This is changed from the first draft, replacing "KSK" by "SEP flag".
but it still doesn't make sense to me. The draft doesn't seem to
contain any indication as to why this is desirable.
Not all signed zones have a key with the SEP flag set. I don't see why
they should be excluded from using this mechanism.
Obviously, the intent isn't that that the CDS *refer* to a key with the
SEP flag set, as this is unenforceable if the key hasn't even been
published yet (as suggested in section 1).
If the intent is to minimise the length of the chain of trust being
used, then "MUST be signed with a key for which the parent already
holds a DS record" would be the appropriate modification. But is
this really necessary?
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
