On 04/16/2014 06:40 PM, Warren Kumari wrote: > On Wed, Apr 16, 2014 at 9:19 AM, Dan York <y...@isoc.org> wrote: >> >> On Apr 16, 2014, at 8:02 AM, Warren Kumari <war...@kumari.net> >> wrote: >> >> I think I made it even clearer: >> The first time a DNS operator signs a zone, they need to communicate >> the keying material to their parent through some out-of-band method to >> complete the chain of trust. Depending on the desires of the parent, >> the child might send their DNSKEY record, a DS record, or both. >> >> Good? >> >> >> Looks good to me. The whole document is looking very good. I've been >> reading the conversation and initially had some concerns but others already >> addressed the points (and so I felt no need to add to the queue of >> messages). > > ... and I got an off-list comment pointing out that: > "Section 6.1 > If the Parental Agent displays the contents > of the CDS / CDSNKEY to the user and gets confirmation that > this represents their key, the Parental Agent MAY use this for > initial enrolment (when the Parent zone does not contain the DS > for this delgation). > > But in section 4.1 you say > o Signer: "MUST be signed with a key that is represented in both the > current DNSKEY and DS RRset's." > > One of the two must be reworded." > > Doh! So, I have updated the "Signer" rule to be: > o Signer: "MUST be signed with a key that is represented in both the > current DNSKEY and DS RRset's" (unless the parent validates the > CDS / CDNSKEY though some other means (see Section 6.1 and the > Security Considerations.)) > > Any (major) objections?
Yes:) The comment in 6.1 is meant for a way to use this technique for initial enrollment. So I would rather see that the rewording in 4.1 also reflects that: I don't want the regular maintenance to be susceptible to 'other means validation'. Suggestion: (unless the parent uses the CDS / CDNSKEY RRset for initial enrollment, in that case the parent validates the CDS / CDNSKEY though some other means (see Section 6.1 and the Security Considerations.)) Best regards, Matthijs > > This time for sure, > W > > > >> >> Dan >> >> -- >> Dan York >> Senior Content Strategist, Internet Society >> y...@isoc.org +1-802-735-1624 >> Jabber: y...@jabber.isoc.org >> Skype: danyork http://twitter.com/danyork >> >> http://www.internetsociety.org/deploy360/ >> >> > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
