To:
Patrik Fältström <paf@cisco.com>
Cc:
Andrew Sullivan <ajs@shinkuro.com>, ietf-provreg@cafax.se
From:
Edward Lewis <Ed.Lewis@Neustar.biz>
Date:
Tue, 27 Oct 2009 18:29:34 -0400
In-Reply-To:
<F06D032B-8447-4468-9152-06FEC6F1EE77@cisco.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: [ietf-provreg] Anyone working on 4310-bis?
At 22:23 +0100 10/27/09, Patrik Fältström wrote: >Hmm...have not thought about having multiple keys with same key tag. That's probably because dnssec-keygen won't return a key that has the same keytag as another one in it's view. >Yeah, also just saw this in 4034: > >> The key tag is used to help select DNSKEY resource records >> efficiently, but it does not uniquely identify a single DNSKEY >> resource record. It is possible for two distinct DNSKEY RRs to have >> the same owner name, the same algorithm type, and the same key tag. >> An implementation that uses only the key tag to select a DNSKEY RR >> might select the wrong public key in some circumstances. Please see >> Appendix B for further details. > >Who the heck came up with this? ;-) I'll blame Olafur. >That is _not_ fun. Neither is a lot of other stuff in DNS - like round robin, case preservation, etc. It's not fun, but not an obstacle. >Only possible path forward is to always: > >1. Remove all keys (in .SE we use keytag=0 to remove all keys) >2. Add the keys again We could specify the DS record by the key hash in the DS. This is about provisioning the DS after all. If there's gonna be an update to 4310, it has to be out there soon. We haven't gone live, but, we have already implemented RFC 4310 as is. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 As with IPv6, the problem with the deployment of frictionless surfaces is that they're not getting traction. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se