On Oct 4, 2013, at 9:31 AM, Olafur Gudmundsson <[email protected]> wrote:
> > On Oct 4, 2013, at 1:51 AM, Matthijs Mekking <[email protected]> wrote: > >> On 10/03/2013 10:06 PM, Paul Wouters wrote: >>> On Thu, 3 Oct 2013, Warren Kumari wrote: >>> >>>> Ok, I just want to make completely sure I understand (so I make sure >>>> that I'm correctly capturing things in the draft). >>>> >>>> We would have 2 RRs, one of CDS and one of CDNSKEY. >>>> >>>> CDS is as described in the earlier version of the doc. >>>> example.com. 86400 IN CDS 31589 8 1 >>>> 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE >>>> >>>> and CDNSKEY is: >>>> example.com. 86400 IN CDNSKEY 57 3 8 >>>> AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipoj >>>> rW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzF >>>> sSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/H >>>> HU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZ >>>> Yc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vm >>>> cUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXU E7yyETrQd18= >>>> >>>> Parents who want DS poll (or whatever) for CDS, parents who want >>>> DNSKEY poll (or whatever) for CDNSKEY. >>>> >>>> Hopefully I'm understanding, because this seems much cleaner, simpler >>>> and more elegant than the CTA stuff that I described. >>>> So, is this what folk would like? If not, apologies for being dim... >>> >>> Yes. >> >> And no. >> >> We could introduce a separate RRtype for synchronizing DS with DNSKEY >> material: CDNSKEY. >> >> We could also reuse the CDS RRtype. Than for parents who want DS poll: >> >> example.com. 86400 IN CDS *1* 257 3 8 >> AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipoj >> rW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzF >> sSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/H >> HU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZ >> Yc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vm >> cUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXU E7yyETrQd18= >> >> and parents who want DNSKEY poll: >> >> example.com. 86400 IN CDS *0* 257 3 8 >> AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipoj >> rW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzF >> sSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/H >> HU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZ >> Yc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vm >> cUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXU E7yyETrQd18= >> >> >> Parents who do DS poll would still have to create the DS record, but at >> least the child can signal which hash has to be used. >> >> Best regards, >> Matthijs > > > Matthijs and Paul > I insisted on renaming the CDS to CTA in the last version just so we can > clearly talk about options. > > Strictly speaking we have 6 possible ways forward > 1) DNSKEY only Doesn't allow for those parents who actually want a pre-digested DS. Also doesn't allow for backup / hidden DNSKEY option. > 2) CDS as DS This was my original preferred option -- but, doesn't handle e.g .NL who want a DNSKEY. > 3) CDS + CDNSKEY as separate RR types This is currently my preferred option -- only disadvantage I can think of is burning 2 RRtypes. > 4) CTA that can include both DS and DNSKEY as RDATA Yeah, That's what currently is in the document. This seems (to me at least) to be the ugliest option. > 5) CDS + DNSKEY Huzzawhat? Publish a DS in a CDS and require that the DNSKEY also exist? I don't understand what you are proposing. > 6) Do not standardize this is too hard/controversial ? Nah. I think #3 is the best option, followed by #2. This doesn't seem that hard to me, nor that controversial -- we just have folk who have different desired for what they want to publish (DS / DNSKEY). I think that we can easily accommodate both camps with #3, or (less preferred) #2. > > Each one of these has advantages and disadvantages. guess the next step is to > create a table of pro's and con's of each one. > What criteria should be in the table? 1: Covers publishing both DS and DNSKEY 2: Ease of implementation 3: Elegance / lack of ugliness (somewhat subjective). I'm planning on just tossing the CDS and CDNSKEY option into the draft on a plane this afternoon, and folk can have a look and see how they feel about this. To my mind the CDS + CDNSKEY seems by far the cleanest option. W > > Olafur > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop > -- It's a mistake trying to cheer up camels. You might as well drop meringues into a black hole. -- Terry Prachett _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
