Tony,
CDS allows:
publication of DS w/o inclusion in DNSKEY
publication of DS w hash that the Parental Agent
does not "support".
One CDS's goals is to get the "Parent" out of the habit of
calculating hash, just publish what the Child wants.
In theory a parent can amend what the Child wants by adding
a DS record for a strong digest algorithm, but then the parent
has to remove these records when the child removes the algorithm,
yes and that has the corner case that child could have two
keys same algorithm with the same key tag :-).
IFF we think that no one will use the two actions above we can
just use the SEP bit and let the parent calculate the hash but that
leaves the parent in a vulnerable position i.e. if the parent only
publishes Digest_alg X hashes and few implementations support X
thus those domains look unsigned to large part of the world.
Olafur
On 01/03/2013 06:37, Tony Finch wrote:
Stephan Lagerholm <[email protected]> wrote:
Friday, March 01, 2013 11:58 AM Tony Finch wrote:
Hmm, I wonder if it would be enough to put only the key tag in the CDS
RDATA,
That wouldn't work because you might have two keys with exactly the same
key-tag. You can't be certain that the key-tag is unique.
True, however it's common for tools to ensure tags are unique.
and let the parent calculate the DS from the corresponding
DNSKEY.
Assuming that the parent knows the algorithm that the child wishes to
use for his DS record. That might not always be the case.
You could include an algorithm field.
Tony.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
