On 10/04/2013 03:23 PM, Warren Kumari wrote: > > On Oct 4, 2013, at 1:51 AM, Matthijs Mekking <[email protected]> wrote: > >> On 10/03/2013 10:06 PM, Paul Wouters wrote: >>> On Thu, 3 Oct 2013, Warren Kumari wrote: >>> >>>> Ok, I just want to make completely sure I understand (so I make sure >>>> that I'm correctly capturing things in the draft). >>>> >>>> We would have 2 RRs, one of CDS and one of CDNSKEY. >>>> >>>> CDS is as described in the earlier version of the doc. >>>> example.com. 86400 IN CDS 31589 8 1 >>>> 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE >>>> >>>> and CDNSKEY is: >>>> example.com. 86400 IN CDNSKEY 57 3 8 >>>> AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipoj >>>> rW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzF >>>> sSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/H >>>> HU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZ >>>> Yc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vm >>>> cUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXU E7yyETrQd18= >>>> >>>> Parents who want DS poll (or whatever) for CDS, parents who want >>>> DNSKEY poll (or whatever) for CDNSKEY. >>>> >>>> Hopefully I'm understanding, because this seems much cleaner, simpler >>>> and more elegant than the CTA stuff that I described. >>>> So, is this what folk would like? If not, apologies for being dim... >>> >>> Yes. >> >> And no. >> >> We could introduce a separate RRtype for synchronizing DS with DNSKEY >> material: CDNSKEY. >> >> We could also reuse the CDS RRtype. Than for parents who want DS poll: >> >> example.com. 86400 IN CDS *1* 257 3 8 >> AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipoj >> rW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzF >> sSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/H >> HU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZ >> Yc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vm >> cUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXU E7yyETrQd18= >> >> and parents who want DNSKEY poll: >> >> example.com. 86400 IN CDS *0* 257 3 8 >> AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipoj >> rW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzF >> sSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/H >> HU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZ >> Yc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vm >> cUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXU E7yyETrQd18= >> >> >> Parents who do DS poll would still have to create the DS record, but at >> least the child can signal which hash has to be used. > > But no, because now the parents who want DS are not getting DS -- they are > getting DNSKEY.
My understanding was that the reason why parents want DS is so that the child can determine the hash digest to be used. > This also doesn't satisfy the desire for standby keys (which perhaps we have > been talking past each other about). CDS with DNSKEY RDATA works identical to CDS with DS RDATA. The only difference is that the way the information is published is different. So it does allow for standby keys. > Some children want to be able to publish a DS record, but not expose the > DNSKEY until they start using it -- the method you have described doesn't > allow for that… Why would you not want to expose the DNSKEY that you are going to use? Personally, I find these arguments weak. But if these are important for people, the next best solution would be two RRtypes: CDS and CDNSKEY. Best regards, Matthijs > > W > > >> >> Best regards, >> Matthijs >> >>> >>> Paul >>> _______________________________________________ >>> DNSOP mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/dnsop >> >> _______________________________________________ >> DNSOP mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dnsop >> > > -- > "Build a man a fire, and he'll be warm for a day. Set a man on fire, and > he'll be warm for the rest of his life." -- Terry Pratchett > > > _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
