Re: [DNSOP] The DNSOP WG has placed draft-wessels-edns-key-tag in state "Candidate for WG Adoption"

Thu, 05 Nov 2015 15:12:06 -0800 

In message <CA+nkc8A7LrA8E1V3TsNoFjqDcU0UwuZH=fcg+t_htatpsrk...@mail.gmail.com>
, Bob Harold writes:
> 
> On Wed, Nov 4, 2015 at 9:19 PM, IETF Secretariat <
> [email protected]> wrote:
> 
> >
> > The DNSOP WG has placed draft-wessels-edns-key-tag in state
> > Candidate for WG Adoption (entered by Tim Wicinski)
> >
> > The document is available at
> > https://datatracker.ietf.org/doc/draft-wessels-edns-key-tag/
> >
> >
> > I freely admit to not being an expert on DNSSEC.  Some questions, if they
> make sense:
> 
> 5.2.1 - If the Stub Resolver is validating, then perhaps the recursive
> resolver should just pass the stub resolver's list of keys, so the Auth
> server knows whether the stub can validate with the new keys?  The
> Recursive will likely send other queries with its own key set, so the Auth
> server can get both sets of information - but will it understand the
> difference, or should we send forwarded keys separately?
> 
> In general, this lets us know that some servers have the new key, but is
> there any way in the process where we can mark a key as 'old' but still
> usable and wait until resolvers quit sending it, before we remove it?  Or
> is that too complicated?

You don't need to wait for resolvers to stop using a key.  You only
need to wait until they are using the new key.

If we have multiple instances of the option in opt record.

e.g.
        TAG <old>  TAG <old> <new>  TAG <new>

then you wait for "TAG <old>" to disappear from the incoming queries
before removing the old key.

e.g.
        TAG <old> <new>  TAG <new>

Now to get counts you need resolvers to count the unique clients
including themselves seen over a period and include those numbers
as well.

        TAG <count> <keyid> ....

If you have the union you get this sort of pattern

        TAG <old>
        TAG <old> <new>
        TAG <new>

And you don't know when you can safely withdraw the old key.

If you have the intersection get this sort of pattern

        TAG <old>
        TAG                             The intesection set is empty
        TAG <old> <new> or TAG <new>
        TAG <new>

Mark

> -- 
> Bob Harold
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]

_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to