Re: [DNSOP] rfc4641bis algorithm rollover corner cases

Fri, 29 Jul 2011 08:15:08 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Fri, 29 Jul 2011, Alexander Gall wrote:


On Thu, 28 Jul 2011 19:29:31 +0200 (CEST), Matthijs Mekking 
<matth...@nlnetlabs.nl> said:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




On Wed, 27 Jul 2011, Alexander Gall wrote:



Matthjis,

On Wed, 27 Jul 2011 18:03:30 +0200 (CEST), Matthijs Mekking 
<matth...@nlnetlabs.nl> said:


On Wed, 27 Jul 2011, Alexander Gall wrote:




The corner case tries to make clear that a DNSKEY RRset can be
treated as part of the chain of trust, but also can be treated as zone
content. In the latter case you want to make sure that the signatures
of the new algorithm are propagated before introducing the new DNSKEY.


I sort of understand the intention.  But how *exactly* would it work?
Note that the "pre-published" signature in zone SOA_1 will differ from
that in zone SOA_2, because the DNSKEY RRset is not the same (this is
different from pre-published signatures by the ZSK, because the RRsets
themselves do not change).



It's about pre-publishing the algorithm. But I now see what you mean and
I think you are right. The corner case does not actually need these
special considerations. The algorithm rollover described as it is now is
not wrong, it just adds a redundant signature in the 'new RRSIGs' step.


Ok. In other words, there is no point in publishing signatures over
the DNSKEY RRset by a key that is not part of that RRset itself,
right? Seems to me that RRSIG_K_1(DNSKEY) should be removed from the
"DNSKEY removal" step as well.


Yes, I have proposed pending changes here:

http://tools.ietf.org//rfcdiff?url1=http://tools.ietf.org/id/draft-ietf-dnsop-rfc4641bis-07.txt&url2=http://www.nlnetlabs.nl/~matje/draft-ietf-dnsop-rfc4641bis.txt



--
Alex


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJOMs5kAAoJEA8yVCPsQCW5U6UH/2DwgaI66rQstxLAlbfXAJQH
LZ95u9oCVCoz7QhPRmgB+hnIGrthX9hOZ9+UYimw7J7YTw37lb2hWFhA+xIasW0M
B+UsGJUUhTl+GceTebTscAs+i/JKWqcFZ/EFwpAEAGrlmdRsEGFblsYXUSLnEe0k
uayS4nSrNfhhBIqtZWW5uExR7giWzcA5kVlgR1X0NPK1OM+/RW7yGNgIumucVWPT
Uukz19QzI5WiwtkBrXI6JmVpTeCUrIRyOGaarJYMq0195Zece0wZRPzw6ACP7uzh
p41ULzHt41HmYCosGPcIXkSuBetY9Grws0J290Sk/x/nQ8XmprXNk5fhFustN+A=
=vmMM
-----END PGP SIGNATURE-----
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to