On Fri, 19 Apr 2013, Edward Lewis wrote:
Sorry. You are right. CDS is a method for non-TLD paren-children to
communicate the KSK information from child to parent. And even more
important because there might be no EPP or other standarized channel.
That's fine. Don't publish CDS as a child, or ignore CDS as a parent.
How do my customers then get the DS from our servers to their registration
systems (registrars with EPP or not)?
The state of the art is cut and paste for most. Without a standard here, we
are stuck with a lowest common
denominator situation.
Now I'm confused about what you would like to see. You wrote:
My response is that the CDS should not automatically cause a change to
the DS, just marshall the data.
I am pushing to rely on a second factor (the security over the c&c
channel to the parent) to verify the request.
I'm not comfortable with in-band scraping.
I guess we could add language that states the intention of the child.
If the CDS is signed by the KSK, the child agrees for the parent to update the
DS.
If the CDS is signed by the ZSK, the child is just "marshalling the data" and
the
parent should look elsewhere for the authentication of that data.
This still leaves open that a compromised KSK can lead to parent DS
changes, but I don't see a way around that without sacrifcing the
requirement that fully automated KSK rollovers using just DNSSEC data
in the zone should be possible.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
