To:
dnssec@cafax.se
Cc:
lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Fri, 22 Mar 2002 10:26:02 -0500
Sender:
owner-dnssec@cafax.se
Subject:
Keys and DS
Off an on, there have been discussions on how to do child-parent key
exchanges. A number of different ways are being proposed, I think it is
important to note that there is no reason that just on way must be chosen.
I think it would be a waste of bits to try and argue over any one approach
in a mailing list, experience and code are better arbiters. But I do want
to gather opinions on some issues. Again - "gathering opinions" doesn't
mean trying to hammer consensus out of folks that do not agree.
First question. Is there a requirement/need to have a child provide
authentication during the sending of material key material to the parent?
(By "key material" I am not inferring a KEY set for this question.)
Second question. Should the child be responsible for sending the generated
DS records to the parent? (This is perhaps a touchy question.) I won't
elaborate further, I would like to hear opinions.
Third question. With the use of DS, if each member of a zone's apex keyset
is represented by a (signed) DS record at the parent, is/are SIG(KEY)s
necessary? E.g., If I see this:
parent
delegation-point.parent DS <DS bits>
SIG DS ... by parent key ...
child
@ SOA ....
SIG SOA ... by zone's key ...
NS+ ...
SIG NS ... by zone's key ...
KEY ...(pointed to by DS)
NXT and SIG (NXT) ... of course
www AAAA ...
SIG AAAA ... by zone's key ...
NXT and SIG (NXT) ... of course
Is there a need for a SIG(KEY)?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis NAI Labs
Phone: +1 443-259-2352 Email: lewis@tislabs.com
Opinions expressed are property of my evil twin, not my employer.