Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-30 Thread Shumon Huque
On Fri, Mar 30, 2018 at 1:47 AM, Yoshiro YONEYA wrote: > Hi Shumon, > > Thank you for starting good document. > I think this document is also useful for DNS provider transfer (or > Registrar transfer) without causing DNSSEC insecure state. Good > thing is that this document doesn't depend on EPP

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-29 Thread Yoshiro YONEYA
Hi Shumon, Thank you for starting good document. I think this document is also useful for DNS provider transfer (or Registrar transfer) without causing DNSSEC insecure state. Good thing is that this document doesn't depend on EPP (can be used with TLDs who doesn't employing EPP). -- Yoshiro

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-22 Thread Matthijs Mekking
I agree, model 1 and model 2 seems doable. Note that RFC 6781 has some text for model 2 on rollover when changing DNS operators. https://tools.ietf.org/html/rfc6781#section-4.3.5 Matthijs On 22-03-18 13:50, Tony Finch wrote: Olafur Gudmundsson wrote: I think only Model #1 makes sense, i.e

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-22 Thread Shumon Huque
On Thu, Mar 22, 2018 at 1:42 PM, Tony Finch wrote: > Shumon Huque wrote: > > On Thu, Mar 22, 2018 at 12:50 PM, Tony Finch wrote: > > > > > > From the provider point of view, I think there are a couple of models: > > > > > > (a) provider has KSK and ZSK; zone owner needs to be able to import > o

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-22 Thread Tony Finch
Shumon Huque wrote: > On Thu, Mar 22, 2018 at 12:50 PM, Tony Finch wrote: > > > > From the provider point of view, I think there are a couple of models: > > > > (a) provider has KSK and ZSK; zone owner needs to be able to import other > > provider public keys into this provider's DNSKEY RRset, an

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-22 Thread Ólafur Guðmundsson
On Thu, Mar 22, 2018 at 1:00 PM, Shumon Huque wrote: > On Thu, Mar 22, 2018 at 12:50 PM, Tony Finch wrote: > >> Olafur Gudmundsson wrote: >> > >> > I think only Model #1 makes sense, i.e Zone apex DNSKEY/CDNSKEY/CDS >> > RRset's are signed by zone publisher but rest signed by operator on the >>

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-22 Thread Shumon Huque
On Thu, Mar 22, 2018 at 12:50 PM, Tony Finch wrote: > Olafur Gudmundsson wrote: > > > > I think only Model #1 makes sense, i.e Zone apex DNSKEY/CDNSKEY/CDS > > RRset's are signed by zone publisher but rest signed by operator on the > > fly. > > From the provider point of view, I think there are

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-22 Thread Tony Finch
Olafur Gudmundsson wrote: > > I think only Model #1 makes sense, i.e Zone apex DNSKEY/CDNSKEY/CDS > RRset's are signed by zone publisher but rest signed by operator on the > fly. >From the provider point of view, I think there are a couple of models: (a) provider has KSK and ZSK; zone owner need

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-22 Thread Paul Wouters
On Thu, 22 Mar 2018, Olafur Gudmundsson wrote: The document covers the case that different providers use different signing algorithms BUT does not cover if they use different negative answer approaches,  no good answer other than say NSEC with “lies”.  I think the document describes what I th

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-21 Thread Olafur Gudmundsson
> On Mar 21, 2018, at 8:35 AM, Shumon Huque wrote: > > On Wed, Mar 21, 2018 at 12:38 AM, Tony Finch > wrote: > > On 20 Mar 2018, at 11:50, Shumon Huque > wrote: > >> We've posted a new draft on Multi Provider DNSSEC models, >> which we're planni

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-21 Thread Shumon Huque
On Wed, Mar 21, 2018 at 12:38 AM, Tony Finch wrote: > > On 20 Mar 2018, at 11:50, Shumon Huque wrote: > > We've posted a new draft on Multi Provider DNSSEC models, > which we're planning to discuss at Thursday's DNSOP session. > > https://tools.ietf.org/html/draft-huque-dnsop-multi-provider-dnss

Re: [DNSOP] Multi Provider DNSSEC Models

2018-03-20 Thread Tony Finch
> On 20 Mar 2018, at 11:50, Shumon Huque wrote: > > We've posted a new draft on Multi Provider DNSSEC models, > which we're planning to discuss at Thursday's DNSOP session. > > https://tools.ietf.org/html/draft-huque-dnsop-multi-provider-dnssec-02 I have read through it, and it looks pretty go

[DNSOP] Multi Provider DNSSEC Models

2018-03-20 Thread Shumon Huque
Hi folks, We've posted a new draft on Multi Provider DNSSEC models, which we're planning to discuss at Thursday's DNSOP session. https://tools.ietf.org/html/draft-huque-dnsop-multi-provider-dnssec-02 Thanks! Shumon. ___ DNSOP mailing list DNSOP@ietf.or