On Fri, 1 Apr 2005 13:24:27 -0500 (EST) Samuel Weiler <[EMAIL PROTECTED]> wrote:
> How about something with a little more explanation and a slightly > stronger suggestion? I added a small paragraph to your suggested text the section now reads as quoted below. If there are no further comments on this I think we addresses all the last call issues. We will roll the draft shortly. --Olaf 4.4.2 Storing Keys or Hashes? When designing a registry system one should consider which of the DNSKEYs and/or the corresponding DSs to store. Since a child zone might wish to have a DS published using a message digest algorithm not yet understood by the registry, the registry can't count on being able to generate the DS record from a raw DNSKEY. Thus, we recommend that registry system at least support storing DS records. It may also be useful to store DNSKEYs, since having them may help during troubleshooting and, so long as the child's chosen message digest is supported, the overhead of generating DS records from them is minimal. Having an out-of-band mechanism, such as a Whois database, to find out which keys are used to generate DS Resource Records for specific owners and/or zones may also help with troubleshooting. The storage considerations also relate the design of the customer interface and the method by which data is transfered between registrant and registry; Will the child zone owner be able to upload DS RRs with unknown hash algorithms or does the interface only allows DNSKEYs? In the registry-registrar model one can use the DNSSEC EPP protocol extensions [9] which allows transfer of DS RRs and optionally DNSKEY RRs. -- ---------------------------------| Olaf M. Kolkman ---------------------------------| RIPE NCC ---------------------------------| JID: olaf at jabber.secret-wg.org . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
