On Fri, Apr 11, 2014 at 7:10 AM, Patrik Fältström <p...@frobbit.se> wrote: > > On 11 apr 2014, at 12:03, Antoin Verschuren <antoin.verschu...@sidn.nl> wrote: > >> I think since this is a protocol definition, CDS and CDNSKEY MUST >> match. What a parent should do when the protocol is violated is I >> guess an implementation issue, BCP, or perhaps even local policy. A >> parent may only look at CDNSKEY or CDS or both. Saying they MUST match >> when they are both in the zone does not state anything on what the >> parent should do when they don't, same as when the Rdata is rubish. > > I support this. This makes possible for parents to decide themselves whether: > > 1. They only fetch CDNSKEY and will not fetch CDS > 2. They only fetch CDS and will not fetch CDNSKEY > 3. They fetch CDNSKEY first, and then CDS if CDNSKEY does not exist > 4. They fetch CDS and first, and then CDNSKEY if CDS does not exist > 5. They fetch both CDS and CDNSKEY and will only pick data if the two are the > same > 6, ... > > Etc. > > If that is not the case, i.e. that the wg want a specific algorithm, then > that should be explicit. > > Unless we have an algorithm, then I support the fact that according to the > protocol, they MUST result in the same result, as the parent can choose what > algorithm they use.
Yup. The document currently (-04) says that if the child publishes both, they MUST match. However, it also says that the parent MUST NOT perform a consistency check -- it chooses either DS or DNSKEY based upon local policy and then consumes the corresponding record type. Relevant text: "Some parents prefer to accept DNSSEC key information in DS format, some parents prefer to accept it in DNSKEY format, and calculate the DS record on the child's behalf. Each method has pros and cons, both technical and policy. This solution is DS vs DNSKEY agnostic, and allows operation with either. The child SHOULD publish both CDS and CDNSKEY records. If the child knows which the parent consumes, it MAY choose to only publish that record type (for example, some children wish the parent to publish a DS, but they wish to keep the DNSKEY "hidden" until needed). If the child publishes both, the two RRsets MUST match in content. The parent should use whichever one they choose, but MUST NOT query for both and perform consistency checks between the CDS and CDNSKEY records." "The parent MUST choose to accept either CDS or CDNSKEY records (based upon local policy), and MUST NOT expect there to be both. A parent MUST NOT perform a consistency check between CDS and CDNSKEY (other than for informational / debugging use)." Is this A: sane and B: reasonable? W > > Patrik > > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
