IETF provreg mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: ietf-provreg@cafax.se
From: Klaus Malorny <Klaus.Malorny@knipp.de>
Date: Tue, 25 Oct 2005 18:49:50 +0200
Sender: owner-ietf-provreg@cafax.se
User-Agent: Thunderbird 1.4.1 (Windows/20051005)
Subject: [ietf-provreg] secdns draft


Hi all,

I just browsed through Scott Hollenbeck's secdns EPP extension draft. While it 
is just another example of an EPP "community driven" standard, being in the 8th 
round already, but mentioned in this list only once yet, and while I still have 
some general concerns regarding the involvement of the registrar and the 
consequences to the actual security of DNSSEC, I don't want to examine this (at 
least now), but I do have some concrete questions regarding the latest (08) draft:

* The draft allows the specification of a value called "maxSigLife". This shall
   allow the registrar to specify the maximum lifetime of the signature of the DS
   record. However, to my (surely incomplete) understanding of the DNSSEC
   standard, the lifetime of an RRSIG signature depends _solely_ on the intended
   lifetime of the related signing key, i.e. in this case the ZSK of the
   registry, which depends on the key length and the rollover strategy chosen by
   the registry and not on the content the RRSIG signs (i.e. the DS record in
   this case). If at all, it would IMHO make much more sense to allow the
   specification of the TTL for the DS record (but this is impossible also).
   So to me, this value does not make any sense. Any counter-arguments?

related to the above:

** what should the registry do at the end of the lifetime?

** what should the registry do if multiple DS records with different
    maxSigLife values exist?

* What is the purpose of the "urgent" value? I see no reason why the registry
   would not include the new DS record in the very next zone update anyway.
   We don't have an "urgent" for NS records neither :-)

* I do not see any sense in specifying both the contents of the DS record
   _and_ the related DNSKEY record at the same time. The DS record can
   be calculated from the DNSKEY (of course), and a registry would have to
   calculate it anyway in order to verify the equality of both parameters.
   To me, it would make more sense to have them as alternatives than of
   having both types at the same time. If a registry policy ever wants to
   check certain key properties (algorithm, key length), then a registry
   can make the specification of the DNSKEY (instead of the DS) mandatory.

* Using the 16 Bit key tag of the key to identify the DS/DNSKEY that
   should be removed from the domain is a bit risky having the probability
   in mind that more than one key has exactly this tag. DNSSEC never relies
   on the uniqueness of this tag.

Just my two cents.

regards,

Klaus


___________________________________________________________________________
      |       |
      | knipp |                   Knipp  Medien und Kommunikation GmbH
       -------                           Technologiepark
                                         Martin-Schmeißer-Weg 9
      Dipl. Inf. Klaus Malorny           44227 Dortmund
      Klaus.Malorny@knipp.de             Tel. +49 231 9703 0

Follow-Ups:
- Re: [ietf-provreg] secdns draft
  - From: Edward Lewis <Ed.Lewis@Neustar.biz>

Prev by Date: [ietf-provreg] Open source EPP implementation, with EURid EPP extensions
Next by Date: YOU HAVE WON!!
Prev by thread: [ietf-provreg] Open source EPP implementation, with EURid EPP extensions
Next by thread: Re: [ietf-provreg] secdns draft
Index(es):
- Date
- Thread

Home | Date list | Subject list