On 04/23/2013 01:53 PM, Wes Hardaker wrote:
Edward Lewis <[email protected]> writes:
I firmly believe that a validator (as described in 4033-4035) should
have to be altered for the CDS proposal.
I don't think so at all. Validators will still provide you with a
"valid" answer for the CDS record no matter which key is used to sign
the RRSIG for it. That's all well and good already.
It's the (non-existent) application that will need the special rules.
It will have to do additional checks beyond ensure the record is simply
"valid". It'll have to check which key was used to sign it.
... thus creating a support problem when the customer checks their CDS
record, sees that it is "valid," and then doesn't understand why the
parent won't accept it.
IMO both signers AND validators would have to be (should be) updated
after this draft. Signers should not sign a CDS record with a non-SEP
key, validators shouldn't accept those signatures if they are sent.
And to say that we don't have that elsewhere and this is new isn't
correct either. 5011 has a number of similar semantics. Consider the
revoke bit for the simplest and closest to this case.
Perhaps you could elaborate? It's not clear to me how that case applies
in the child -> parent signalling direction.
Doug
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
