On 11/11/2010 5:32 PM, Stephan Lagerholm wrote:
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf
Of
George Barwood
Sent: Thursday, November 11, 2010 4:15 PM
To: Rickard Bellgrim; [email protected]
Subject: Re: [DNSOP] Comments on DS Publication draft
----- Original Message -----
From: "Rickard Bellgrim"<[email protected]>
To:<[email protected]>
Sent: Wednesday, November 10, 2010 3:53 PM
Subject: [DNSOP] Comments on DS Publication draft
Hi
I have some comments on the document
draft-barwood-dnsop-ds-publish-01:
1. Introduction (3rd paragraph)
It is not always the case that the child is the one defining the DS
RRset. Some parents wants (for some reason) to create the DS RRset
based
on their own policy (choice of hash) and based on what DNSKEY RR the
child
send in.
I'll take your word for this, but this practice seems a "very bad
idea" to
me.
.GOV currently creates their own DS from the DNSKEY they "customer"
uploads to the web gui. There is no way to create the DS yourself. I
agree that this is bad practice but I think we need to take this into
account.
Maybe we need a paragraph in rfc4641bis saying why this is a bad idea.
In my mind this boils down to the arguments as if
"parent knows best" vs "child knows best".
Having observed .gov in action I think we need to make strong case
for "parent should not mess up child".
Olafur
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
