At Fri, 7 Feb 2014 13:26:53 -0500, Olafur Gudmundsson <o...@ogud.com> wrote:
> > In that, technically, an empty CDS / CDNSKEY RRset should mean the DS > > RRset at the parent should be empty. I have no problem with treating > > an empty set as an exception, but I think it would help if the draft > > explains that more explicitly. > > Semantics semantics, > No we are defining the semantics to be "IF C* is published parent DS should > mirror that, > if no C* in child --> parent has no action to perform" Yes, I now understand that. Please see my latest response to Warren; I still think it helps to clarify that explicitly. > > I'd also note that "absence of CDS" (or CDNSKEY) cannot happen once > > one such RR is published, and it should mean something erroneous (most > > likely an operation error at the child or a bug in its tool). I think > > it's worth noting in Section 4.1 > > Why? > Here is a perfectly fine time line > <At start parent DS reflects key A and child uses A to sign DNSKEY RRset> > > Child publishes CDS with A and B > Parent updates DS to reflect A and B > Child deletes CDS Right, I was still a bit confused here. Now I understand it, but I also wonder why would the child deletes the CDS's (again, please see my latest response to Warren). > Do you think it is helpful to add an appendix with some examples of use of C* > records ? Yes, I think so (I don't think I wouldn't need the example myself now that I understand it, but I guess it helps other fresh readers:-). > > Finally, I'd suggest explicitly clarifying that CDS / CDNSKEY cannot > > be used for a child from signed to unsigned (since it would have to > > remove all CDS / CDNSKEY records to do so). And, I suspect this is a > > "MUST NOT", unlike the case of initial enrollment described in Section > > 9, because this would break interoperability. > > > > In theory we can use C* to perform the Going-Unsigned operation, and earlier > version of this > document proposed that, but people objected and we removed that text. > We explicitly outlaw going from Unsigned --> Signed w/o some out-of-band > validation. That's fine. I just tried to point out that (even if allowed) "removing all *Cs as a signal of signed->unsigned" and the "no change if no *Cs rule" can't coexist. -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
