On Wed, 6 Jun 2012, zhanghaikuo wrote:
Dear dnsop work group, I wrote a draft for DNSSEC, and it is a new method to deal with the emergency rollover for the compromised key. the draft is followed: https://datatracker.ietf.org/doc/draft-haikuo-ckds/?include_text=1
First, I don't think a draft should grab an IANA DNS type code like you did. Instead of writing "53" you should write "[TBD]" which means "to be decided" Now on to the proposal, The issue I see is that a CKDS needs to be explicitely queried for. Do I have to re-query this when the negative cache ttl runs out? I cannot only query it when I want to lookup DS records, or I would miss this "revocation" of the key. If I hae a DS record that is cached for 1day or 1week, when would I query for CKDS? I understand you do not want to check the revoke bit in the DNSKEY, because if compromised you could be given that key without the revoke bit. But I'm still not sure when a resolver should look for a CKDS record. And defining a null-CKDS would run into the exact same caching problem as the actual DS record does. Could you explain what would trigger a resolver to check for a CKDS record? Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
