To:
dnsop@cafax.se
From:
Rob Austein <sra+dnsop@hactrn.net>
Date:
Tue, 08 Apr 2003 21:55:56 -0400
In-Reply-To:
<20030331132915.GA2912@atoom.net>
Sender:
owner-dnsop@cafax.se
User-Agent:
Wanderlust/2.8.1 (Something) Emacs/20.7 Mule/4.0 (HANANOEN)
Subject:
Re: preconfigured keys or ds's
Almost lost this one under other traffic. At Mon, 31 Mar 2003 15:29:15 +0200, Miek Gieben wrote: > > I would like to see the following documented, but I don't know for sure > if it is a dnssec or dnsop issue: > > The preconfigured keys for resolvers are large and are hard to compare > and read (by humans). DS records on the other hand are much smaller > and easier to handle. I think it would be better to preconfigure > DS records in stead of zone keys for resolvers. This is also how > my perl resolver works. <hat dnsop-wg-co-chair=off dnssec-editors-team-member=off> This sounds like a reasonable implementation choice. </hat> > Where to put this? In the dnssec drafts or in a seperate dnsop BCP? <hat dnsop-wg-co-chair=off dnssec-editors-team-member=on> The current DNSSECbis drafts don't talk about using trusted DS RRs as a starting point, only trusted KEYs. Given the last paragraph of section 2.4.1 of draft-ietf-dnsext-delegation-signer-13.txt, this looks like an oversight (probably mine, since I was probably the last person to work on the relevant text in the DNSSECbis drafts). So the DNSSECbis spec needs fixing, and I don't expect anybody to argue against the fix, but for process reasons it'd be best to post an explanation to namedroppers first, so I'll do that. </hat> <hat dnsop-wg-co-chair=on dnssec-editors-team-member=off> Because of the above, at least part of this is a DNSEXT issue. </hat> #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.