To:
ietf-provreg@cafax.se
From:
Andrew Sullivan <ajs@shinkuro.com>
Date:
Tue, 27 Oct 2009 17:02:27 -0400
Content-Disposition:
inline
In-Reply-To:
<23CBC376-9C3C-4D37-A67E-FF4214982D06@cisco.com>
Mail-Followup-To:
Andrew Sullivan <ajs@shinkuro.com>, ietf-provreg@cafax.se
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mutt/1.5.18 (2008-05-17)
Subject:
Re: [ietf-provreg] Anyone working on 4310-bis?
On Tue, Oct 27, 2009 at 09:31:10PM +0100, Patrik Fältström wrote: > We use epp and DNSSEC in .SE since a while back. What are the issues you > think? Howard pointed out to me that the key tag is what is used to do operations on a DS. That's fine, until you're trying to roll algorithms, because of this happy bit in RFC 4034: The key tag is the same for all DNSKEY algorithm types except algorithm 1 (please see Appendix B.1 for the definition of the key tag for algorithm 1). One operational model for moving from SHA-1 to SHA-256 is to add a new key using both SHA-1 and SHA-256, and then remove the SHA-1 version after some time. Now, one might want to say, "Don't do that," but I think the document either ought to say that or else specify a way to identify DS records that does not rely on the key tag. Also, of course, if there turned out to be a major problem with one or the other algorithms, one would want a way to yank one of the keys without yanking the other. I haven't completely thought through this, however. The only way I know how really to think through something is to write the text (I'm dim), so I thought I'd ask whether someone is working on text. If so, I could figure out how to add to it, or else I could just write something new. A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se