On Feb 7, 2014, at 1:31 PM, Mukund Sivaraman <[email protected]> wrote:
> Hi Warren
>
> Did you see my reply to your email a few weeks ago where I asked why new
> CDS/CDNSKEY RR types are required instead of adding a new bit to the
> Flags field of the DNSKEY RR. Please can you look for my last email
> which lists some advantages? There may be a good reason for it, but I
> don't want you to miss considering it. :)
>
We considered it but there are drawbacks including:
- changing a flag on a DNSKEY record means the key footprint and hash of key
change, so matching
a key after a change in flags is hard for parents as they do not know which
flag was changed.
- Publishing a future TA in the DNSKEY set makes the DNSKEY RRset larger
There are advantages to the new RR types
- CDS allows the publication of a new Trust Anchor without exposing the public
key of the new trust anchor
- Putting a new key in a different RRset keeps DNSKEY smaller
- less chance of confusion by parents.
So in short we considered it and rejected that approach.
Olafur
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
