On Thu, Jul 08, 2010 at 11:39:33AM +0200, Olaf Kolkman wrote:
>
> I observe though that 4641 is mainly written from the perspective of a
> 'zone-owner' and that I am not quite sure where to give specific advice to
> administrators of recursive nameservers.
>
> So before text is drafted there is an explicit question to the WG on whether
> this document should contain a section that gives guidance to recursive
> nameserver operators?
is there also a distinction between a "zone owner" and its
authoritative
nameservers?
If the document is primarly oriented toward a "zone owner" then
references to
nameserver administrators should be; a) kept to a minimum, and b)
clearly stated
at the head of the docuement, the focus of the advice, e.g. to "zone
owners".
> > 2. There are also multiple ways in which the auth nameserver operators will
> > manage key rollover.
> >
> > Authoritative operators should free to decide if they want to manage their
> > keys in a RFC5011 manner or not. RFC4641bis should place no restriction on
> > authoritative servers.
>
>
> Hmmm. Currently the document does not restrict auth servers but it does give
> recommendations such as (in version 02 in the 1 but last paragraph of 3.1.2:
>
> It is therefore recommended to regularly roll KSKs if and only if those
> rollovers can be
> tracked using automated RFC5011 type mechanisms.
>
> Note the way this is phrased doesn't even say that 5011 is the magic bullet.
>
> Question to the WG: is the document in any way restrictive on not using 5011,
> or is its consideration for advising RFC5011 to strong?
there have been some arguements about the periodicity of key rolls.
Unless
this document can have a clearly defenseable position for recommending
"regular"
rollovers and having such tied to RFC 5011, it might be wise to
decouple this
work from RFC 5011... unless this work really depends on RFC 5011 use.
> >
> > (3. With RFC5011 we now have some confusion in the current RFCs about the
> > status of the SEP bit.
> >
> > RFC4034 describes the SEP bit as follows
> > "Bit 15 of the Flags field is the Secure Entry Point flag, described in
> > [RFC3757]. If bit 15 has value 1, then the DNSKEY record holds a key
> > intended for use as a secure entry point. This flag is only intended to be
> > a hint to zone signing or debugging software as to the intended use of this
> > DNSKEY record; validators MUST NOT alter their behaviour during the
> > signature validation process in any way based on the setting of this bit."
> >
> > RFC4041
> > RFC4041 recommends "In this document, we assume a one-to-one mapping
> > between KSK and SEP keys and we assume the SEP flag to be set on all KSKs"
> > This clearly alters RFC 4034 and gives some meaning to the SEP bit.
>
> s/4041/4641/
My understanding about the SEP bit is reflected in the RFC 4034 text.
In 4061, the
authors have exceeded the definition in 4034 and based their work on
that assumption...
which doesn't appear to be valid :)
> >
> > RFC5011
> > RFC5011 describes a method for securely managing key rollover via the use
> > of the SEP bit and the addition of a revoke bit. This clearly redefines the
> > original meaning of the SEP bit in RFC4034.
>
> >
> > Could 4641bis or something mention
> >
> > 1. RFC3757 is not obsolete
> > 2. RFC3757 is updated by RFC5011
RFC 5011 describes "A" method, not "THE ONLY" method. One is or should
be free to interpret
the SEP as defined in RFC 4034.
>
> I do not think that this (non standards track document) should tinker with
> the status of any standards track document. Besides I believe that what is in
> 4034 says: SEP is not interpreted during the validation but can be used as a
> hint for operational matters (and then mentions debugging and zonesigning).
Agreed.
>
> > The SEP bit is described in [RFC3757] and updated in RFC5011. However, it
> > plays no part in the validation process. It may only be used in the
> > automated key rollover process as described in RFC5011.)
> >
>
> While chewing on section 3.1 yesterday and today it seemed that having a
> separate section on the use of SEP is appropriate.
>
> On this work is in progress.
>
> (I updated
> http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/trust_anchor_configuration)
>
>
> --Olaf
>
>
>
> ________________________________________________________
>
> Olaf M. Kolkman NLnet Labs
> Science Park 140,
> http://www.nlnetlabs.nl/ 1098 XG Amsterdam
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
