On Thu, 28 Aug 2008, Brian Dickson wrote: >> (I would posit that the folks generating the DNSKEY will also >> want to generate the DS hash on their known, trusted signing tools >> instead of trusting the parent w/ the DNSKEY materials) > > Well, here's why: > > - The DS is a deterministic function > - Having DS sent to the parent, rather than calculated locally by the > parent, introduces a host of human and/or process risks/requirements
How does the parent know it is not getting spoofed, assuming this is the first time a DS record is created for the sub domain? > - Nothing in the DNSKEY, or in the building of the DS, involves private > keys, only public keys - so there is no trust issue with the materials. Getting the wrong public key in the DS record is a trust issue. > - The DNSKEY is already published, so the parent can trivially get it, Really? Getting it securely is not that trivial. > in a way that is not subject to poisoning (the NS glue is hardcoded in > the parent zone, after all) IP spoofing is possible. See RFC5011 ? Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop