On Wed, Apr 16, 2014 at 9:19 AM, Dan York <y...@isoc.org> wrote:
>
> On Apr 16, 2014, at 8:02 AM, Warren Kumari <war...@kumari.net>
> wrote:
>
> I think I made it even clearer:
> The first time a DNS operator signs a zone, they need to communicate
> the keying material to their parent through some out-of-band method to
> complete the chain of trust. Depending on the desires of the parent,
> the child might send their DNSKEY record, a DS record, or both.
>
> Good?
>
>
> Looks good to me. The whole document is looking very good. I've been
> reading the conversation and initially had some concerns but others already
> addressed the points (and so I felt no need to add to the queue of
> messages).
... and I got an off-list comment pointing out that:
"Section 6.1
If the Parental Agent displays the contents
of the CDS / CDSNKEY to the user and gets confirmation that
this represents their key, the Parental Agent MAY use this for
initial enrolment (when the Parent zone does not contain the DS
for this delgation).
But in section 4.1 you say
o Signer: "MUST be signed with a key that is represented in both the
current DNSKEY and DS RRset's."
One of the two must be reworded."
Doh! So, I have updated the "Signer" rule to be:
o Signer: "MUST be signed with a key that is represented in both the
current DNSKEY and DS RRset's" (unless the parent validates the
CDS / CDNSKEY though some other means (see Section 6.1 and the
Security Considerations.))
Any (major) objections?
This time for sure,
W
>
> Dan
>
> --
> Dan York
> Senior Content Strategist, Internet Society
> y...@isoc.org +1-802-735-1624
> Jabber: y...@jabber.isoc.org
> Skype: danyork http://twitter.com/danyork
>
> http://www.internetsociety.org/deploy360/
>
>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
