To:
Edward Lewis <lewis@tislabs.com>
cc:
<dnssec@cafax.se>
From:
Mats Dufberg <dufberg@nic-se.se>
Date:
Fri, 22 Mar 2002 19:29:45 +0100 (CET)
In-Reply-To:
<v03130300b8c0faaabd1e@[166.63.190.161]>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys and DS
On Mar 22, 2002, 10:26 (-0500) Edward Lewis <lewis@tislabs.com> wrote: > First question. Is there a requirement/need to have a child provide > authentication during the sending of material key material to the parent? > (By "key material" I am not inferring a KEY set for this question.) It must be up to the two parties (child and parent can be on the same server, and run by the same administrator). But I think there is room for a BCP that describes a reasonable model, which probably requires that the authentication of the child is verified. > Second question. Should the child be responsible for sending the generated > DS records to the parent? (This is perhaps a touchy question.) I won't > elaborate further, I would like to hear opinions. That must be up to the two parites. DS or KEY, what's the difference? > Third question. With the use of DS, if each member of a zone's apex keyset > is represented by a (signed) DS record at the parent, is/are SIG(KEY)s > necessary? E.g., If I see this: Yes. Even if there are cases when it is not strictly necessary you could easily shoot yourelf in the foot. Consider that the child has two apex KEY and two DS. The keys are not signed, and only key1 is used to sign zone data. If resolving from root there are no problems, but if a local resolver has added key2 as a trusted key (and goes directly to the authoritative server) it cannot follow the chain of trust. Mats ---------------------------------------------------------------------- Mats Dufberg <dufberg@nic-se.se> ----------------------------------------------------------------------