[DNSOP] DS transfer requirements

Wes Hardaker Wed, 24 Apr 2013 06:19:00 -0700

Ed pointed me to a message he wrote [1] and some of the text there
triggered my "oh yeah; we need to start with the requirements" bell.  I
think part of the problem has been we don't have a good list of
requirements to compare any given solution to and we're talking around
them all because they're not written down (at least in one place).  So,
stealing bullets from Ed's text and adding some, what are in these lists
that shouldn't be, or is in the wrong place and what is missing
entirely?  There are some I surely suspect people disagree about their
location in the list.  This is very much a working-document list.


* MUST be able tos

  + Let the child be able to signal a desire to:
    - add a DS record for a key that is not yet published.
    - delete a DS record for a key that has never been published.
    - add a DS recrord for a key that is in use.
    - delete a DS record for a key that is in use.
    - add DS records for hashes not previously supported.
    - add DS records for hashes I am moving away from.

  + Allow the insertion/deletion action to be done by the parental agent
    when the child and parent both agree that one of these will trigger
    a "go" indication:
    - A child operator indicates "go" via a secondary mechanism (e.g., http)
    - Immediately after successful data verification within the transfer
      mechanism 

  + Not change existing DNSSEC validation steps (see [2] below)

* SHOULDs if possible
  + be able to signal using key material
  + be able to signal using DS hash material
  + operate on a single record at a time (publish this DS, don't touch
    the rest)

* MAYs
  + [2] If DNSSEC is used to validate the data, there may be other
    data verification steps (cryptographic or not) required before a
    "go" can occur

* Explicitly *not* a requirement:
  + Use the DNS itself as the transport


What else?  I'm quite sure there are more.  (And I'm pseudo-deliberately
stopping here to make sure that I don't sound like I'm trying to impose
only just my ideas or the ones I pulled from Ed's message).

Footnotes: 
[1]  http://www.ietf.org/mail-archive/web/dnsop/current/msg10293.html


-- 
Wes Hardaker
Parso
ns
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] DS transfer requirements

Reply via email to