-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 20-04-11 11:58, Matthijs Mekking wrote:
> Hi Antoin,
>
> It is assumed that in the cooperating case, both operators allow
> publishing of the signatures.
>
> So they don't create the signature themselves, they merely copy the
> signature and publish it in their version of the zone.
Ok, so that's a second option I hadn't thought about, because it is
impractical in practice. I guess in theory this will work, but only if
the zone, DNSKEYset and RRSIGs are static for the complete rollover period.
In the case I have seen and discussed so far, only the public keys were
exchanged, and not the signatures. Exchanging signatures takes again
another step in the process, as a new signature can only be created
after recieving the new keys. And it only works if the signatures have
an expire that is longer than the transfer process.
When you use the Doule-DS rollover, child A only needs to recieve B's
new public keys, and signs it only with KSK_A. child B has allready
queried A's public keys and has allready signed the DNSKEY set with only
KSK_B.
For the Double-DS method, that is sufficiant.
I guess you can now also have child A copy RRSIG_K_B(DNSKEY) and child B
copy RRSIG_K_A(DNSKEY), but this is another step in the process that
consumes propagation time and extra interaction. It also disallows the
childs to refresh the signatures when they expire, unless they have yet
another interaction.
This was the scheme I had in mind with Double-DS and cooperating DNS
providers:
- ------------------------------------------------------------
initial | Double DS |
------------------------------------------------------------
Parent:
NS_A NS_A
DS_A DS_A
DS_B
------------------------------------------------------------
Child at A: Child at A: Child at B:
SOA_A0 SOA_A1 SOA_B0
RRSIG_Z_A(SOA) RRSIG_Z_A(SOA) RRSIG_Z_B(SOA)
NS_A NS_A NS_B
RRSIG_Z_A(NS) RRSIG_Z_A(NS) RRSIG_Z_B(NS)
DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_A
DNSKEY_K_A DNSKEY_Z_B DNSKEY_Z_B
RRSIG_K_A(DNSKEY) DNSKEY_K_A DNSKEY_K_A
DNSKEY_K_B DNSKEY_K_B
RRSIG_K_A(DNSKEY) RRSIG_K_B(DNSKEY)
------------------------------------------------------------
------------------------------------------------------------
Redelegation | post migration |
------------------------------------------------------------
Parent:
NS_B NS_B
DS_A DS_B
DS_B
------------------------------------------------------------
Child at A: Child at B: Child at B:
SOA_A2 SOA_B1 SOA_B2
RRSIG_Z_A(SOA) RRSIG_Z_B(SOA) RRSIG_Z_B(SOA)
NS_B NS_B NS_B
RRSIG_Z_A(NS) RRSIG_Z_B(NS) RRSIG_Z_B(NS)
DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_B
DNSKEY_Z_B DNSKEY_Z_B DNSKEY_K_B
DNSKEY_K_A DNSKEY_K_A RRSIG_K_B(DNSKEY)
DNSKEY_K_B DNSKEY_K_B
RRSIG_K_A(DNSKEY) RRSIG_K_B(DNSKEY)
------------------------------------------------------------
There is less data to exchange.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:[email protected] xmpp:[email protected]
http://www.sidn.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJNrsbKAAoJEDqHrM883Agnq7IH/2S1bb0639QslS8bytaOws03
Urqcxe++tryi9L2PYX8GFurU6WrlspgK5ynzYQdOrcuuDHRiMPuCdXQhM4mtMF8M
GdoyZ9UcKgTn4Ae8kvRt8op5NBE9ZT+NAHjbLbK/qGuh7fffgB2iDP8EEXETtAki
PO/L2Cf9tOOLF2PpGdi2w3ups94n1/xRtml23MV/MaBn5YBh+Fh+o8He7KopaaWq
Or5JZRmywWlZRmQAgDJsYNPD61xrFICV/oocVcOg2KlTYg/2JFK4eSdJgDOBoS8u
EZ2PEbXvbnt+MbomvSLz3xt1Diw9ETPorEuAJtUyVjXOeHVOe8TC/l2iaYMUdBE=
=3ScI
-----END PGP SIGNATURE-----
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
