At 10:02 -0500 3/15/05, Scott Hollenbeck wrote:
It's been proposed that the sDate/eDate parameters be removed. The person that first proposed their inclusion (Mark Kosters) has agreed that they're probably not needed.
Post DNSOP meeting...
Besides the necessary parameters for the DS RR and the ancillary DNSKEY RR, there are three issues.
1) Limiting the time-of-vulnerability of a child to a key exposure.
The suggestion is to send a numeric parameter (seconds, relative time) along with an update adding a DS RR.
2) Aligning TTLs of the authoritative DNSKEY (in child) and the authoritative DS (in parent).
This is probably not necessary. DNSSECbis (-protocols) contains this in section 2.4:
The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset (that is, the NS RRset from the same zone containing the DS RRset).
Apparently, we shouldn't be concerned about the TTL.
3) What happens when the server won't honor the request of the client, specifically regarding #1?
A hard failure seems prudent, otherwise the server might publish an unacceptable (to the child's policy) RRSIG.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Achieving total enlightenment has taught me that ignorance is bliss. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
