On Sep 26, 2013, at 12:05 AM, Matthijs Mekking <[email protected]> wrote:
> Hi, > > I thought it would be good to start a thread about CDS or CDNSKEY, given > the recent discussion on dnssec-deployment. Thank you! I'm off at another meeting and that thread got away from me… :-) > > CDS is a nice proposal for automating the the delegation signer > information at the parent and is able to deal with all possible rollover > scenarios. Yup. > It's drawback however is that it cannot be used by registries > that require the delegation signer information to submitted as DNSKEY. > > There are two straight-forward solutions for this, imo: > > 1. New RRtype: CDNSKEY > Which is similar to CDS except it publishes the DNSKEY RDATA elements of > the to be DS RRset. A parental agent that calculates the DS itself would > poll for the CDNSKEY RRset. > > 2. Adjust the CDS RR format > The CDS RDATA is equal to the DNSKEY RDATA plus one RDATA element for > what (preferred) hash is to be used. > > The first solution has some minor drawbacks: > * It requires a new RRtype for something that can also be done within an > existing RRtype (CDS after changing the format). > * For the child signer system it would need an additional configuration > knob to decide whether to publish CDS or CDNSKEY. > > Adjusting the CDS RR format makes the CDS proposal compliant with both > 'requiring DS' and 'requiring DNSKEY' registries. Yup, but the way you have written option 2 (unless I misunderstand) does't allow for "standby keys" . An option that was discussed (sorry, cannot remember if it was onlist or over a beer) was to have the CDS record be: RRTYPE <selector> <data> If the selector is 0, then the data element is a DS record. If the selector is $something_else then the data is a a DNSKEY. The selector could be the hash type that you would like... AFAIR, the main objections to this was that it makes parsing *slightly* harder / there is a view that it is less elegant. So, I *think* basically what you suggested as option 2, but if the "what (preferred) hash is to be used" part is e.g 0, then the data bit is already hashed. Thoughts? W > > > Best regards, > Matthijs > > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop > -- Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
