> On 20 Mar 2018, at 11:50, Shumon Huque <shu...@gmail.com> wrote:
>
> We've posted a new draft on Multi Provider DNSSEC models,
> which we're planning to discuss at Thursday's DNSOP session.
>
> https://tools.ietf.org/html/draft-huque-dnsop-multi-provider-dnssec-02
I have read through it, and it looks pretty good, though I think you are
burying the lede.
The first time I looked through I missed the clever parts, and thought to
myself that half of the models described in section 2 would make people very
sad. But section 4 on resolver behaviour explains the cleverness that avoids
making people sad (sharing public keys), so I looked through the model
descriptions more carefully and saw that they do in fact mention the trick.
To fix this misunderstanding, the introductory paragraphs in section 2.2 need
to explain your cleverness a lot more explicitly. eg this sentence:
A key requirement here is to manage the contents of the DNSKEY and DS RRset in
such a way that validating resolvers always have a viable path to authenticate
the DNSSEC signature chain no matter which provider they query and obtain
responses from.
Yeah, validation has to work, I know, now tell me the clever trick up front
otherwise I might not realise there is one!
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
