RE: [dnsop] EPP-DNSSEC Document Updates

[Edward Lewis]

At 12:03 -0500 1/25/05, Scott Hollenbeck wrote:
 From: Samuel Weiler [mailto:[EMAIL PROTECTED]

 Section 2: "... the key data SHOULD have the Secure Entry
 Point (SEP) bit set as described in RFC 3757."  I'd like to see
 this be a 2119 MAY -- RFC3757 does not say SHOULD, and this document
 does not document the need for the 2119 SHOULD.
This text exists at the request of Ed Lewis.  Ed, what say you?  Would a MAY
be sufficient?
The reason I think a SHOULD is correct -
(First the overarching plan)
The time will come when there will be a need to have automatic tools 
to measure and correct what's in the DNS.  Maybe not even in the next 
5 years, but eventually.  After working on the DNS protocol for years 
(I'm not talking about operations), my personal observation is that 
the protocol lacks management features.  The state of DNS operations 
is still rather healthy, but if we don't take steps to make it more 
manageable, someday I fear DNS will unravel.

'Course, the beauty of the DNS is that it is loosely coupled, 
enabling it to scale.

But, there are times in which more management is needed.
I am not talking about steps to make what's on port 53 more managed 
or more restricted.  I see the need for "health monitors" to be 
deployed to identify potential problems in the DNS tree.  Lord, umm, 
PVM knows, there are a lot of legal set ups in DNS that will cause 
nothing but pain and hardship.

(A concrete reason)
I want the SEP bit there to make diagnostic tools possible.  Not that 
I see a tool coming soon, but I want to make them possible today.  I 
believe that this is a prudent restriction in any delegation 
situation that is enabled via an EPP.

(The counter question)
Given that we are talking about operations, is there a reason why an 
EPP client would have the desire to provision a non-SEP key as a DS 
record?

(The big finish)
That's why I asked Scott to use a SHOULD.  The DS is intended to 
reference secure entry points or key signing keys.  The DS can 
reference zone signing keys, but then the DS will have to be changed 
so often we might as well go back to RFC 2065 mode.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

"A noble spirit embiggens the smallest man." - Jebediah Springfield
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html