-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Op 01-03-13 16:50, Olafur Gudmundsson schreef:
> One CDS's goals is to get the "Parent" out of the habit of > calculating hash, just publish what the Child wants. I strongly disagree on this. I don't think CDS goal should be to mandate registry policy. Let me get some real world data in there. The majority of DNSSEC delegations in TLD's today were set up by sending DNSKEY to the registry and have the registry calculate the hash it supports at the parent. Our registrars do it, and they have absolutely no issue with it. DS is on the parent side of the zone cut. The child should not bother to calculate DS, certainly not with algorithms the parent doesn't support. The risk is that childs can deliberately choose algorithms that will diminish the integrity of the parent zone. It should only care that the chain of trust points to the correct child DNSKEY. It's the parent that mandates the policy of the zone and domain it serves. From RFC 1034: "When some organization wants to control its own domain, the first step is to identify the proper parent zone, and get the parent zone's owners to agree to the delegation of control." If a child wants a delegation from a parent, it should follow the parent's policy. It's the parent that determines the policy and can choose the algorithms it wants to support under it's domain. Let the parent calculate the hash it needs to put into their zone. I feel the argument that states that "the parent should just publish what a child wants" is in violation of RFC 1034 and local registry policy. It is not documented anywhere where that argument comes from, and it is actually wrong. It's an anarchist attempt to bend the rules for more influence that does not comply with the DNS structure. Out of frustration that parents don't act as they would in supporting algorithms. Then choose a different parent. And it works just fine when everybody minds his own business. Childs do DNSKEY, parents do DS. - -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 M: +31 6 23368970 Mailto: [email protected] XMPP: [email protected] HTTP://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJRNHnAAAoJEDqHrM883AgnOUoH/1D4R16meecEJbpFuaAku4l8 QUim4sOTdyTx/rou43biIiycs+iYhmYm94J2dQ0nB6rrSTaJBzscQk6UdQgnnc8V wyhYi/rArToBKRL2pfE6i+et8HpNZh4qz02hQxRyqWHfSFNFpELGWSwBYy37xl4P YSlkjzlT6qsfJo7AjhYkFAfXHdRQ6dmJ8332SAP/5/C/JaKTiI69A28Kr7dh3A1G d/CLniECZFolWVmmwdy5Dr2WchxUqUuPCAYQ2096/VqeaEtmA4jIVx1PqF/SZSPS O64GUkVGYBGGX72OMXcJsLRp5vOCHjy+MYOKHPX5M5B5N2XBfgJi6pxVZlhBE7I= =BZVw -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
