On 2014-02-07, at 13:31, Mukund Sivaraman <[email protected]> wrote: > Did you see my reply to your email a few weeks ago where I asked why new > CDS/CDNSKEY RR types are required instead of adding a new bit to the > Flags field of the DNSKEY RR. Please can you look for my last email > which lists some advantages? There may be a good reason for it, but I > don't want you to miss considering it. :)
The apex of a signed child zone already contains a DNSKEY RRSet, and that whole RRSet is retrieved by validators who want to validate signatures within the child zone. Adding extra RRs to that set would inflate the response sizes towards those validators with information that is of no practical benefit to them. Putting those extra RRs in a different RRSet (CDNSKEY) means they can be explicitly retrieved by clients (provisioningware of parents, or parental agents) who need them, without sending them to other clients unnecessarily. We are, I think, more comfortable with large responses in 2014 than we were in 2010 (at least, we are more comfortable that there are not hideous, fireball-type consequences) but I don't think we should be in the business of inflating responses for no reason. Also, reflection attacks, amplification potential. Joe
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
