----- Original Message ----- From: "Chris Thompson" <c...@cam.ac.uk> To: "George Barwood" <george.barw...@blueyonder.co.uk> Cc: <dnsop@ietf.org> Sent: Tuesday, July 05, 2011 9:09 PM Subject: Re: [DNSOP] CDS RRtype - automated KSK rollover
> On Jun 12 2011, George Barwood wrote: > >>I have updated the draft >> >>http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-02.txt >> >>I have added an appendix with an exampler KSK rollover, and made >>various generally minor changes. >> >>IANA have now assigned type code 59 for the CDS RRtype. >> >>I'd like to request that the WG adopt this document. > > While everyone else is discussing policy issues, can I raise a > technical one? > > | The CDS record MUST be signed with a key that has the Secure Entry > | Point flag set. > [...] > | The parent zone SHOULD check that the signing key(s) have the Secure > | Entry Point flag set. > > This is changed from the first draft, replacing "KSK" by "SEP flag". > but it still doesn't make sense to me. The draft doesn't seem to > contain any indication as to why this is desirable. > > Not all signed zones have a key with the SEP flag set. I don't see why > they should be excluded from using this mechanism. > > Obviously, the intent isn't that that the CDS *refer* to a key with the > SEP flag set, as this is unenforceable if the key hasn't even been > published yet (as suggested in section 1). > > If the intent is to minimise the length of the chain of trust being > used, then "MUST be signed with a key for which the parent already > holds a DS record" would be the appropriate modification. But is > this really necessary? The intent is to restrict the ability to update the parent DS to those who have access to key signing keys. Thus where there is a split responsibility ( similar to the root zone where IANA has the KSK private key, and Verisign has only the ZSK private key ), only the senior party can update the parent DS. The party that only holds the ZSK private key cannot update the parent and take over the zone. George > -- > Chris Thompson University of Cambridge Computing Service, > Email: c...@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH, > Phone: +44 1223 334715 United Kingdom. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
