To:
Edward Lewis <lewis@tislabs.com>
Cc:
dnssec@cafax.se
From:
Jakob Schlyter <jakob@crt.se>
Date:
Fri, 22 Mar 2002 10:06:30 -0600 (CST)
In-Reply-To:
<v03130300b8c0faaabd1e@[166.63.190.161]>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys and DS
On Fri, 22 Mar 2002, Edward Lewis wrote: > First question. Is there a requirement/need to have a child provide > authentication during the sending of material key material to the parent? > (By "key material" I am not inferring a KEY set for this question.) during normal key rollover this is probably not necessary if the new key material is authenticated by the old key material. on initial key exchange or at emergency key rollover, authentication is critical. > Second question. Should the child be responsible for sending the generated > DS records to the parent? (This is perhaps a touchy question.) I won't > elaborate further, I would like to hear opinions. a signed keyset could be authenticated by itself (together with a previous key). a set of ds records sent to the parent need additional authentication. > Third question. With the use of DS, if each member of a zone's apex keyset > is represented by a (signed) DS record at the parent, is/are SIG(KEY)s > necessary? E.g., If I see this: since SIG(DS) at the parent could be used, this doesn't seem necessary. but, on the other hand, why bother not having it? jakob