Hi Antoin, It's clear that we have different opinions on this, and I don't want to argue for the sake of noisemaking. However, I have a couple of clarifying questions (see below).
On 2013-03-04, at 11:21, Antoin Verschuren <[email protected]> wrote: > Op 04-03-13 16:02, Joe Abley schreef: > > > I think TLD registry operators should remove themselves from the > > business of providing quality control over DS RRSets, just as > > (most) do with NS RRSets. Such behaviour unnecessarily constrains > > technical decisions made by the operators of child zones, acts to > > suppress the use of new algorithms and provides no tangible benefit > > to child nor parent. > > And gives room to all the miscreants that want to abuse that as it > only gives benefit to the use case of that one child, but a parent has > to watch over all his children. How is it safer for the operator of a parent zone to generate DS RRSets from supplied DNSKEY RRSets (constrained to only those algorithms the parent has blessed) than to accept any DS RRSets from children? You seem to have a threat in mind that the former behaviour mitigates, but I can't see what it is. > I don't see the difference in algorithm adoption when only a DS hash > at the parent is to be chosen freely when the parents DNSKEY is stil > set by parents policy. A DS is not a SEP, the DNSKEY is. I feel the > whole discussion is more emotion than fact. People want to influence > what their parent does, as little children asking for a higher > allowance. Not realizing that they can be a parent themselves if they > want to, but walk away from that responsibility. So, to clarify, can the operator of a child zone who prefers to use an algorithm 14 DNSKEY send you that key, confident that you will accept it? What about algorithm 253? > I think the whole idea of sending a DS to your parent is also > historical, and has nothing to do with the model. I agree, it's a bit tangential to the question at hand (although it's relevant to the question of whether the operator of a child zone should have any influence over the digest algorithm used in the parent's DS RRSets). I don't agree that sending a DS RRSet to your parent is historical, though, since it seems to me that most TLD registries accept a DS RRSet and not a DNSKEY RRSet. I've done no survey to confirm these numbers (as I mentioned before, it's just personal experience based on the TLDs I happen to interact with). Rather than "historical" I would have said "common practice today". Joe
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
