CC:
ietf-provreg@cafax.se
From:
Klaus Malorny <Klaus.Malorny@knipp.de>
Date:
Wed, 04 Nov 2009 21:06:57 +0100
In-Reply-To:
<4AF18249.9060806@publisher.de>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.6pre) Gecko/20091104 Shredder/3.0pre
Subject:
Re: [ietf-provreg] Anyone working on 4310-bis?
On 04/11/09 14:31, Ulrich Wisser wrote:
>> So there are registries out there looking to support a keyData
>> interface for
>> DNSSEC, where the client would pass just the keyData on an add/rem/chg?
>> Would the DS data be returned in the info response?
>
> James, I've heard from several registries considering it. But I have no
> input about this from registrars. From a registry standpoint dealing
> with keys instead of ds records makes operations much simpler.
>
> We would not return DS data. .SE would put two DS records for each key
> in the zone file. So returning DS records would mean to return the key
> twice. With the proposed change we would return the key data in the info
> command.
>
> /Ulrich
Hi all,
sorry for flooding the list, but I prefer to keep issues separated.
I'd like to dig a little bit deeper on this dsData/keyData issue:
So we would allow either to
* [DS]: specify only the DS data
* [KEY]: specify only the DNSKEY data; the registry would be responsible to
generate DS record(s) from it
* [DS/KEY]: specify both DS and DNSKEY data; the registry would either
silently ignore the DS data and use the key data as in [KEY], or use
the DNSKEY to verify the correctness of the DS data. I wouldn't
recommend the first case, though.
in <create> and <update> requests?
It would be upon the registry policy which of the three (including any
combination of them) would be accepted.
In the <rem> section of an <update>, how can a user remove an existing entry?
* a [DS] entry could remove an existing [DS] or [DS/KEY] entry,
but it probably should not be able to remove a [KEY] entry
* a [KEY] entry could remove an existing [KEY], [DS/KEY] entry
or multiple [DS] entries (e.g. with different digest types),
but the latter is probably not recommended
* a [DS/KEY] entry could remove all three types
Again, it would probably be the best to define the acceptable ways as a registry
policy, wouldn't it?
For the <info> request, I would like propose that the answer returns exactly the
data that has been specified in the <create>/<update> requests.
However, different answers could be imaginable:
* a [KEY] could be returned either as the respective [DS] entries
(maybe even in addition).
* [DS/KEY] could be returned as [DS] only.
One final thing:
I believe that the <maxSigLife> element should be removed from the group
definition and put directly into the sequence, so that it may be also specified
in a key data only solution. Or shall it not be applicable in this case? I.e.:
<complexType name="dsDataType">
<sequence>
<group minOccurs="0">
<sequence>
<element name="keyTag" type="unsignedShort"/>
<element name="alg" type="unsignedByte"/>
<element name="digestType" type="unsignedByte"/>
<element name="digest" type="hexBinary"/>
</sequence>
</group>
<element name="maxSigLife" type="secDNS:maxSigLifeType"
minOccurs="0"/>
<element name="keyData" type="secDNS:keyDataType"
minOccurs="0"/>
</sequence>
</complexType>
Regards,
Klaus
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software. For (Un-)subscription and similar details
send "help" to ietf-provreg-request@cafax.se