On Thu, Apr 17, 2014 at 4:46 AM, Matthijs Mekking <matth...@nlnetlabs.nl> wrote: > On 04/16/2014 06:40 PM, Warren Kumari wrote: >> On Wed, Apr 16, 2014 at 9:19 AM, Dan York <y...@isoc.org> wrote: >>> >>> On Apr 16, 2014, at 8:02 AM, Warren Kumari <war...@kumari.net> >>> wrote: >>> >>> I think I made it even clearer: >>> The first time a DNS operator signs a zone, they need to communicate >>> the keying material to their parent through some out-of-band method to >>> complete the chain of trust. Depending on the desires of the parent, >>> the child might send their DNSKEY record, a DS record, or both. >>> >>> Good? >>> >>> >>> Looks good to me. The whole document is looking very good. I've been >>> reading the conversation and initially had some concerns but others already >>> addressed the points (and so I felt no need to add to the queue of >>> messages). >> >> ... and I got an off-list comment pointing out that: >> "Section 6.1 >> If the Parental Agent displays the contents >> of the CDS / CDSNKEY to the user and gets confirmation that >> this represents their key, the Parental Agent MAY use this for >> initial enrolment (when the Parent zone does not contain the DS >> for this delgation). >> >> But in section 4.1 you say >> o Signer: "MUST be signed with a key that is represented in both the >> current DNSKEY and DS RRset's." >> >> One of the two must be reworded." >> >> Doh! So, I have updated the "Signer" rule to be: >> o Signer: "MUST be signed with a key that is represented in both the >> current DNSKEY and DS RRset's" (unless the parent validates the >> CDS / CDNSKEY though some other means (see Section 6.1 and the >> Security Considerations.)) >> >> Any (major) objections? > > Yes:) > > The comment in 6.1 is meant for a way to use this technique for initial > enrollment. So I would rather see that the rewording in 4.1 also > reflects that: I don't want the regular maintenance to be susceptible to > 'other means validation'. Suggestion: > > (unless the parent uses the CDS / CDNSKEY RRset for initial enrollment, > in that case the parent validates the CDS / CDNSKEY though some other > means (see Section 6.1 and the Security Considerations.))
Oooh! Nice. I was unable to come up with a succinct way of saying that. Changed. I also fixed a typo / thinko in the Acknowledgements section. *This* time for sure, W > > Best regards, > Matthijs > >> >> This time for sure, >> W >> >> >> >>> >>> Dan >>> >>> -- >>> Dan York >>> Senior Content Strategist, Internet Society >>> y...@isoc.org +1-802-735-1624 >>> Jabber: y...@jabber.isoc.org >>> Skype: danyork http://twitter.com/danyork >>> >>> http://www.internetsociety.org/deploy360/ >>> >>> >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
