At 7:43 -0500 11/18/04, Miek Gieben wrote:
But who is more likely to make mistakes? The child, which doesn't even see the DS in its zone? Or the parent who generates them by the million?
Resisting the open net shot at a snide comment, what difference does this make? If you are concerned that the child can't generate the hash, consider that making the keys, putting them in the zone, and signing is more difficult.
Granted this is a comment on an implementation, but here is the sequence of commands issued to get to a signed zone and the hash:
Make two keys $ dnssec-keygen -a RSA -b 512 -n zone -f KSK zone1.example $ dnssec-keygen -a RSA -b 512 -n zone zone1.example
Add the keys into the zone ($INCLUDE used in this example) $ vi zone1.example
Sign the zone
$ dnssec-signzone -k Kzone1.example.+001+42509 -o zone1.example \
-t zone1.example Kzone1.example.+001+64678At the end of this, I see a file called dsset-... which has the DS all set.
'Course this is one implementation's tools. There are still some more operational optimizations to go. Also, I'm showing a "clean start" - no old keys to mess with.
The point is that the DS hash generation is a byproduct of a far more "complicated" process (= a two [2!] line signing command ;) ).
This is not an argument of DNSKEY vs. DS. The tools above also give a keyset-... file, although it doesn't have the RRSIGs in it as needed in -epp-secdns-05.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
I think my jabber client and SMS phone are talking about me behind my back. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
