On 2013-04-19, at 11:33, Paul Wouters <[email protected]> wrote: > On Fri, 19 Apr 2013, Joe Abley wrote: > >>> Besides the other two comments: DS records are signed with the ZSK, and >>> the CDS document explains why it needs to be signed with the KSK instead >>> (also). >> >> I'm not sure I fully understand the logic of that, actually. >> >> Surely the important thing is that the apex CDS RRSet in the child zone can >> be verified to be authentic. > > and that it is signed by the KSK holder - not the ZSK holder. If the > parent would update its DS based on the child's ZSK's signature, then > the ZSK is used as KSK and the ZSK holder can bypass the KSK, and thus > seperation of duties and/or different HSM/storage/security is bypassed.
I understand that concern, but I think we need to be pragmatic and avoid being overly prescriptive. If an individual zone maintainer's processes impose a separation of duties between KSK management and ZSK management, then they should make decisions that they are comfortable with. The decisions as to how any CDS RRSet should be signed are in the right place, and I don't think it's sensible to require that the parent make assumptions about what is good or bad practice at the child. I think that documenting these concerns (to encourage people to think about them) is sensible. I don't think it's sensible to make assumptions and prohibit behaviour that in many cases might be perfectly sensible. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
