On Oct 4, 2013, at 1:51 AM, Matthijs Mekking <[email protected]> wrote:
> On 10/03/2013 10:06 PM, Paul Wouters wrote: >> On Thu, 3 Oct 2013, Warren Kumari wrote: >> >>> Ok, I just want to make completely sure I understand (so I make sure >>> that I'm correctly capturing things in the draft). >>> >>> We would have 2 RRs, one of CDS and one of CDNSKEY. >>> >>> CDS is as described in the earlier version of the doc. >>> example.com. 86400 IN CDS 31589 8 1 >>> 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE >>> >>> and CDNSKEY is: >>> example.com. 86400 IN CDNSKEY 57 3 8 >>> AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipoj >>> rW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzF >>> sSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/H >>> HU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZ >>> Yc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vm >>> cUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXU E7yyETrQd18= >>> >>> Parents who want DS poll (or whatever) for CDS, parents who want >>> DNSKEY poll (or whatever) for CDNSKEY. >>> >>> Hopefully I'm understanding, because this seems much cleaner, simpler >>> and more elegant than the CTA stuff that I described. >>> So, is this what folk would like? If not, apologies for being dim... >> >> Yes. > > And no. > > We could introduce a separate RRtype for synchronizing DS with DNSKEY > material: CDNSKEY. > > We could also reuse the CDS RRtype. Than for parents who want DS poll: > > example.com. 86400 IN CDS *1* 257 3 8 > AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipoj > rW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzF > sSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/H > HU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZ > Yc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vm > cUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXU E7yyETrQd18= > > and parents who want DNSKEY poll: > > example.com. 86400 IN CDS *0* 257 3 8 > AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipoj > rW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzF > sSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/H > HU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZ > Yc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vm > cUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXU E7yyETrQd18= > > > Parents who do DS poll would still have to create the DS record, but at > least the child can signal which hash has to be used. But no, because now the parents who want DS are not getting DS -- they are getting DNSKEY. This also doesn't satisfy the desire for standby keys (which perhaps we have been talking past each other about). Some children want to be able to publish a DS record, but not expose the DNSKEY until they start using it -- the method you have described doesn't allow for that… W > > Best regards, > Matthijs > >> >> Paul >> _______________________________________________ >> DNSOP mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop > -- "Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life." -- Terry Pratchett _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
