On Tue, 2020-05-26 at 09:40 -0400, Paul Wouters wrote: > I thought my initial reading this was stored inside a DNSKEY was wrong > and things are actually stored in a DS digest. And DS records do not > have flags of the DNSKEY, so why are we talking again about DNSKEY > flags?
When I ask my resolver for TXT validpin.dotpin.powerdns.club., the following things happen in the resolver: Queries are issued to root, TLD, etc., until the delegation to validpin.dotpin.powerdns.club from dotpin.powerdns.club is received. It looks like this: validpin.dotpin.powerdns.club. NS pdns-public-ns1.powerdns.com. validpin.dotpin.powerdns.club. NS pdns-public-ns2.powerdns.com. validpin.dotpin.powerdns.club. DS 17418 225 2 .... validpin.dotpin.powerdns.club. IN RRSIG DS .... In this test deployment, we have chosen algorithm number 225 by fair dice roll. The resolver connects to a NS, let's say pdns-public-ns1.powerdns.com, on port 853. During the handshake, the resolver receives the SubjectPublicKeyInfo from the name server. The resolver then constructs, in memory, a DNSKEY: pdns-public-ns1.powerdns.com. DNSKEY 0 3 225 [base64-encoded SPKI] The resolver then turns this into a DS with the normal procedure for DNSKEYs (https://tools.ietf.org/html/rfc4034#section-5.1.4). This yields a DS with some keytag, algo number 225, and digest type 2 (because that's what we saw in the DS set). The resolver checks if the resulting DS is in the DS set given by the parent. If so, we are now connected securely. If not, we disconnect and do not use this name server. > I dont know what you will use for keytag. https://tools.ietf.org/html/rfc4034#appendix-B > The digest type would also be some strange number meaning > "not really a DNSKEY digest". The digest type is one of the types from https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml, just as with normal DNSKEY processing. > So why talk about DNSKEY flags? Where do these appear in the proposal? The proposal currently has no need for any flags, so the flags field is set to zero. If we come up with convincing reasons for flags, we could define some. > Why make life harder > by needing to stuff square things into round boxes twice instead of > once? Because many registries only accept DNSKEY (via EPP or as CDNSKEY), and insist on doing the digesting into a DS on their end. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy