IETF provreg mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Andrew Sullivan <ajs@shinkuro.com>
Cc: ietf-provreg@cafax.se
From: Patrik Fältström <paf@cisco.com>
Date: Tue, 27 Oct 2009 22:23:12 +0100
Authentication-Results: ams-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
In-Reply-To: <20091027210224.GC61322@shinkuro.com>
Sender: owner-ietf-provreg@cafax.se
Subject: Re: [ietf-provreg] Anyone working on 4310-bis?

On 27 okt 2009, at 22.02, Andrew Sullivan wrote:

> On Tue, Oct 27, 2009 at 09:31:10PM +0100, Patrik Fältström wrote:
>> We use epp and DNSSEC in .SE since a while back. What are the  
>> issues you
>> think?
>
> Howard pointed out to me that the key tag is what is used to do
> operations on a DS.  That's fine, until you're trying to roll
> algorithms, because of this happy bit in RFC 4034:
>
>   The key tag is the same for all DNSKEY algorithm types except
>   algorithm 1 (please see Appendix B.1 for the definition of the key
>   tag for algorithm 1).

Correct, the key tag is the (only) index when you want to do  
operations. Hmm...have not thought about having multiple keys with  
same key tag.

Yeah, also just saw this in 4034:

> The key tag is used to help select DNSKEY resource records
> efficiently, but it does not uniquely identify a single DNSKEY
> resource record.  It is possible for two distinct DNSKEY RRs to have
> the same owner name, the same algorithm type, and the same key tag.
> An implementation that uses only the key tag to select a DNSKEY RR
> might select the wrong public key in some circumstances.  Please see
> Appendix B for further details.

Who the heck came up with this? ;-)

Changing this in epp will not be simple. There are tons of deployed  
things out there (i.e. if we change to {keytag, algorithm} instead of  
just {keytag}).

The text above from 4034 do though say:

> It is possible for two distinct DNSKEY RRs to have
> the same owner name, the same algorithm type, and the same key tag.

That is _not_ fun.

Only possible path forward is to always:

1. Remove all keys (in .SE we use keytag=0 to remove all keys)
2. Add the keys again

But there is a risk you have the zone with no keys then.

Aaaarrgghhhh!

    Patrik

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request@cafax.se

Follow-Ups:
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: Edward Lewis <Ed.Lewis@Neustar.biz>
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: Eric Brunner-Williams <brunner@nic-naa.net>
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: Edward Lewis <Ed.Lewis@Neustar.biz>
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: Andrew Sullivan <ajs@shinkuro.com>

References:
- [ietf-provreg] Anyone working on 4310-bis?
  - From: Andrew Sullivan <ajs@shinkuro.com>
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: Patrick Mevzek <provreg@contact.dotandco.com>
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: Patrik Fältström <paf@cisco.com>
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: Andrew Sullivan <ajs@shinkuro.com>

Prev by Date: Re: [ietf-provreg] Anyone working on 4310-bis?
Next by Date: Re: [ietf-provreg] Anyone working on 4310-bis?
Prev by thread: Re: [ietf-provreg] Anyone working on 4310-bis?
Next by thread: Re: [ietf-provreg] Anyone working on 4310-bis?
Index(es):
- Date
- Thread

Home | Date list | Subject list