Hello, During wglc Sam Weiler came in with some comments on draft-ietf-dnsop-dnssec-operational-practices-03
One specific item will merit some extra wg attention. It's about wether a parent should keep a DS and/or a DNSKEY in its local registry. Specificly it about paragraph 4.4.2: 4.4.2 Storing Keys So Hashes Can Be Regenerated When designing a registry system one should consider if the DNSKEYs and/or the corresponding DSs are stored. Storing DNSKEYs will help during troubleshooting while the overhead of calculating DS records from them is minimal. Having an out-of-band mechanism, such as a Whois database, to find out which keys are used to generate DS Resource Records for specific owners and/or zones may also help with troubleshooting. Sam argues: Section 4.4.2 suggests storing DNSKEYs, not DSs. I think this is bad advice -- DS message digest algorithms may be used for signaling (of, for example, use of NSEC3), so the child may want to choose the message digest algorithm. Rather than require the parent to support them all, why not just let the child provide the hash? I argue: My opinion in this is that the DS is a parental record and as such a child may not even be aware that it exists. Concerning the signalling, I can see that that can be usefull, however, if a parent cannot even use the correct hash alg to hash the key into a DS, how can the resolver do that then? If the resolver knows about this supersecret hashing algorithm, why does the child want to upload the DS/DNSKEY to the parent in the first place? Also, if a child cannot trust it's parent to make a correct DS hash, it needs to find a new parent IMO. What does the wg think, is some extra text needed? Thanks -- grtz, - Miek http://www.miek.nl http://www.nlnetlabs.nl . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
