On Oct 9, 2013, at 4:10 AM, Billy Glynn <[email protected]> wrote:
>
> On 5 Oct 2013, at 19:55, Warren Kumari wrote:
>
>> So, would like to get some feedback on this version -- I understand that it
>> might not please everyone, such is the nature of compromise.
>>
>> W
>>
>> Filename: draft-kumari-ogud-dnsop-cds
>> Revision: 05
>
> Section 2.2.1
>
> "The proposal
> below can operate with both models, but the child needs to be aware
> of the parental policies."
>
> also
> Section 6.2.1
> "The
> DNS Parent needs to publish guidelines for the children as to what
> digest algorithms are acceptable in the CDS record.
> "
>
> Maybe I'm missed it... but how would a child be aware of the "parental
> policies"?
Thank you, great question.
The way I had envisioned this working was that the human operating the child
would "know" because they interacted with the parent when bootstrapping the
relationship, and had to enter either the DS or DNSKEY.
I'm also expecting that in general CDS / CDNSKEY records will be published by
tools -- the human operating the child ("human child"?) could configure the
tool to do do CDS or CDSNKEY -- by default I'd expect the tool to simply
publish both, but some children might have religious^W valid[0] reasons for
only wanting to publish one of the other.
I'm expecting the the *huge* majority of children will just publish both, and
let their parents choose whichever one they want.
This text all appeared in the most recent draft, which was written in a bit of
a rush (so I could chat with folk about it at the DNS-OARC meeting / I like
rev'ing docs so that folk have something concrete to look at), I'll try make
this clearer in the next rev…
W
[0]: For example, there are some children who want to publish two (or multiple)
DS records in their parent, and keep one of the DNSKEYs hidden / private /
secret. That way, if their key is compromised they can just start signing with
the new DNSKEY.
> Billy
--
What our ancestors would really be thinking, if they were alive today, is: "Why
is it so dark in here?"
-- (Terry Pratchett, Pyramids)
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
