In message <[email protected]>, "Steph an Lagerholm" writes: > Mark, > > On 12.04.2012, at 14:21, Marc Lampo wrote: > > > It holds an alternative possibility to overcome the problem > > > - for operators of validating name servers - of failing domains > > > because of DNSSEC. > > > > > > The alternative is to have a parent regularly (no frequency defined) > > > check the coherence of DS information they have against DNSKEY > > > information it finds published. > > > If the parent detects "security lameness" (term used in RFC4641bis) > > > its possible reaction could be to remove the DS information. > > => From my experience, "active parenting" is not a good practice. > Specifically in this case, you are assuming that the parent knows the > algorithms used for the DS record. He would have to in order to > validate. That might not always hold true. Additionally, the record is > not 'yours', it is just parked in your zone by the child. For the parent > to Tamper with either the NS or DS is IMHO not a good practice.
There is a difference between "Tamper" and "Hey, you stuffed up. You need to fix the delegation or we will remove it as it is causing operational problems" and yes there *are* RFCs that permit this to happen. Parents are already REQUIRED to make these sorts of checks of the records involved in the delegation according to RFC 1034. As for not knowing the DS algorithm what is just garbage. For DS records to be useful the algorithms need to be well known. There are no private DS algorithms. Mark > /S > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
