On Apr 22, 2013, at 5:41 PM, Doug Barton <do...@dougbarton.us> wrote:
> On 04/22/2013 02:19 PM, Joe Abley wrote:
>>
>> On 2013-04-22, at 17:17, Wes Hardaker <wjh...@hardakers.net> wrote:
>>
>>> Wes Hardaker <wjh...@hardakers.net> writes:
>>>
>>>> For what it's worth: I'm sort of on the fence when it comes to needing
>>>> to sign with the KSK. There are so very very few key-split owners out
>>>> there that it's not a huge market for them, and I doubt any of them will
>>>> want to do CDS anyway to their parent.
>>>
>>> FYI: I meant to mention that there is a significant number of operators
>>> that do actually protect their keys with different levels of protection
>>> and keep their KSKs in a "better vault".
>>
>> That's interesting. Can you cite examples?
>>
>> The only example I know of is the root zone, which is weird and special for
>> a variety of non-technical reasons. Last time I looked neither the BIND9 nor
>> OpenDNSSEC toolchains supported offline-KSK operations without a lot of
>> hackery.
>
> Various TLDs discussed their plans to take similar steps at various points in
> the past. There is no reason to believe that other sites (particularly large
> financials) wouldn't be doing the same.
>
> That said, I don't see any reason to introduce "ZSK can validate a CDS
> record," and lots of reasons to require the KSK(s) to do so. If off-line KSK
> users can't use CDS to do their thing, I'm sure they would consider that an
> acceptable compromise.
Um, I'm probably missing something obvious here, but you cannot use CDS to
enroll in DNSSEC. This means that you'll have to use the original out-of-band
system -- what if we extend Wes's radio buttons to include ZSK / KSK[0]?
Update the DS record when (pick one):
[ ] Ever a properly signed CDS record exists
[ ] Ever a properly signed CDS record exists and I click an OK button here
[ ] Never. I enjoy the ctrl-v experience.
Require that this is signed with the KSK?
[] Yes, I have separate process for my keys.
[] Nope, they all live on the same filesystem. If someone gets one, they
have the other.
Obviously the parent now has more state (and the child's logic is a little
trickier), but...
W
[0]: s/KSK/a key with the SEP bit set/G
>
> Doug
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
---
Schizophrenia beats being alone.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
