To:
Miek Gieben <miekg@nlnetlabs.nl>
Cc:
dnsop <dnsop@cafax.se>, lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Mon, 23 Oct 2000 09:56:17 -0400
In-Reply-To:
<20001023140642.A19769@nlnetlabs.nl>
Sender:
owner-dnsop@cafax.se
Subject:
Re: keysets at the registry
At 8:06 AM -0400 10/23/00, Miek Gieben wrote: >Is this really necessary? Why not only send a key to the registry? 1) The SIG accompanies the KEY as a convenient means to express the validity period. The $TTL directive is a convenient means to express the desired TTL. dnssec-keygen output writes out the key record, missing two important pieces of information. One is the TTL, the other is the validity period. The reason dnssec-keygen omits thee TTL is that the TTL is a facet of the zone and will be set when the zone is signed/otherwise processed. The validity period is ommitted because that is set at signing time, not key generation. (The KEY doesn't expire, the SIG does.) In BIND 8, this was "solved" by the .PARENT file. This solution was not satisfactory however - other problems ensued. So, in BIND 9, the need to add the TTL and validity period to the KEY when it being sent to the parent for validation remained and was met by using existing structures. 2) When the parent gets the keyset file and verifies that the file came from the authorized sender, the parent can also verify that the key(s) arriving are the correct keys, i.e., no one has changed them. The sender, by having a copy of the .keyset file, can use that and the .signedkey file to verify that no one added or deleted a key. (Such a tool has not been written yet.) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com "It takes years of training to know when to do nothing" - Dogbert Opinions expressed are property of my evil twin, not my employer.