Re: [ietf-provreg] Anyone working on 4310-bis?

[Edward Lewis <Ed.Lewis@Neustar.biz>]

At 22:23 +0100 10/27/09, Patrik Fältström wrote:

>Hmm...have not thought about having multiple keys with same key tag.

That's probably because dnssec-keygen won't 
return a key that has the same keytag as another 
one in it's view.

>Yeah, also just saw this in 4034:
>
>>  The key tag is used to help select DNSKEY resource records
>>  efficiently, but it does not uniquely identify a single DNSKEY
>>  resource record.  It is possible for two distinct DNSKEY RRs to have
>>  the same owner name, the same algorithm type, and the same key tag.
>>  An implementation that uses only the key tag to select a DNSKEY RR
>>  might select the wrong public key in some circumstances.  Please see
>>  Appendix B for further details.
>
>Who the heck came up with this? ;-)

I'll blame Olafur.

>That is _not_ fun.

Neither is a lot of other stuff in DNS - like 
round robin, case preservation, etc.  It's not 
fun, but not an obstacle.

>Only possible path forward is to always:
>
>1. Remove all keys (in .SE we use keytag=0 to remove all keys)
>2. Add the keys again

We could specify the DS record by the key hash in 
the DS.  This is about provisioning the DS after 
all.

If there's gonna be an update to 4310, it has to 
be out there soon.  We haven't gone live, but, we 
have already implemented RFC 4310 as is.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request@cafax.se