To:
Ólafur Guðmundsson <ogud@ogud.com>
Cc:
dnssec@cafax.se, Dan Massey <masseyd@isi.edu>, Edward Lewis <lewis@tislabs.com>
From:
Jakob Schlyter <jakob@crt.se>
Date:
Mon, 1 Oct 2001 09:57:21 +0200 (MEST)
In-Reply-To:
<5.1.0.14.2.20010925120654.02b11ec0@localhost>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Signalling DS support to resolvers
On Tue, 25 Sep 2001, Ólafur Guðmundsson wrote: > First Dan Massey for using KEY flags to signal DS support: > > [..] > > The proposed answer is that the parent's key includes a flag to indicate > DS or SIG@child. By looking at the parent's key, you can determine > if the parent uses SIG@child or DS to sign its children. how do we know if root uses DS or SIG@child ? > Second Edward Lewis for the use of SEC RR to signal DS usage > > [...] > > One of the means to indicate a zone's security semantics is to use the > oft-suggested but never fully defined SEC RR set. The SEC RR set has been > a latent suggestion to relate security information about a zone. There is > natural resistance to defining a new RR set, which is why the SEC RR set > has not been put forward. I think it's time to define the SEC RR - storing information about the security status of a zone, such as DS vs SIG@child, in several possible locations (e.g. multiple KEYs) seems like bad design to me. jakob