At 17:35 09/03/2009, Mark Andrews wrote:
On a related issue DS -> DNSKEY translations cannot be
performed until the DNSKEY is published in the zone. The
use of DS prevents pre-publishing of keys.
Once the key is generated a DS of it can be generated.
Our draft does not in any way make any assumptions about how
trust anchors are "discovered" or "disseminated"
What can be done with a DNSKEY TA can be done with a DS TA.
DS prepublication has the further advantage that it does not expose the
KEY during the "pre-publication period" preventing factoring attacks
on the key during this time period.
I can see no real reason to recommend that DS records be
published in preference to DNSKEY records.
We see nothing but problems by using DNSKEY records.
We want to prevent the configured party from blindly using DNSKEY records
by forcing it to fetch the current DNSKEY RRset and make sure the trust anchor
configured is still there.
By configuring DS instead of DNSKEY the processing is almost the same as it is
for delegations. The last thing we want is a compromised TA can be
used to sign
forged answers for a long time after the compromised key is Removed/Revoked.
DNSKEY -> DS is a conversion that can be at anytime.
This make DNSKEY a better manditory record to publish.
I do not follow
Olafur
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
