On Apr 23, 2013, at 8:18 AM, Edward Lewis <[email protected]> wrote:
> What's really unfortunate is that the CDS record could be flexible enough to > work with an out-of-band arrangement if the proposal well-designed, but if > the document insists on weaving in an in-band only arrangement, the idea will > flail. Opportunity to be useful is lost. You are conflating two features that you want: in-band signaling and out-of-DNS-band authorization. It is perfectly reasonable for a parent to have a policy of "we will not look for a CDS until we have gotten an authenticated request to do so", and that request mechanism can be a standardized HTTP request. Designing the latter is trivial and can be done in parallel with the CDS work. FWIW, I think that the out-of-band "make me look" protocol is quite worthwhile. The more I look at some of the weirdness that is in CDS (artificial differences of KSK and ZSK, partial signing, etc.), the more I think that trying to do this in DNS under DNSSEC is stretching the DNS too far. On Apr 18, 2013, at 5:11 PM, Joe Abley <[email protected]> wrote: > By this thinking, a signed apex DS RRSet with the meaning discussed for CDS > could be deployed today, with no need for code point assignment. What am I > missing? ... was followed by throwing out the idea because: On Apr 19, 2013, at 7:14 AM, Tony Finch <[email protected]> wrote: > That isn't enough to disambiguate which DS is being asked for if child and > parent zones share a server. With a secure out-of-DNS-band authorization that says "please fetch my DS records, and they will look like X" where X is the record or a hash of the record, there is no problem with signed apex DS RRsets even when the child and parent zones share a server. --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
