Also see thread starting at:
http://darkwing.uoregon.edu/~llynch/dnsop/msg03465.html
Formallity.
We propose to take over the "asynchronous ascii art" as proposed by Ed
at the end of the message.
> >> # DNSKEY 10 is used to sign all the data of the zone, the zone-
> >> # signing key.
> >> # pre-roll: DNSKEY 11 is introduced into the key set. Note that no
> >> # signatures are generated with this key yet, but this does not
> >> # secure against brute force attacks on the public key. The minimum
> >> # duration of this pre-roll phase is the time it takes for the data
> >> # to propagate to the authoritative servers plus TTL value of the
> >> # key set. This equates to two times the Maximum Zone TTL.
> >>
> >> Aren't all keys required to sign the key set?
> >
> >Only the keys a DS record points to.
> >
> >
> >> # The scenario above puts the responsibility for maintaining a valid
> >> # chain of trust with the child. It also is based on the premises that
> >> # the parent only has one DS RR (per algorithm) per zone. An
> >> # alternative mechanism has been considered. Using an established
> >> # trust relation, the interaction can be performed in-band, and the
> >> # removal of the keys by the child can possibly be signaled by the
> >> # parent. In this mechanism there are periods where there are two DS
> >> # RRs at the parent. Since at the moment of writing the protocol for
> >> # this interaction has not been developed further discussion is out of
> >> # scope for this document.
> >>
> >> Perhaps you should also show the DS set at the parent in the example.
> >> Later you have one, but it is for the 2 DS at the parent option.
> >
> >Ack, proposed diagram:
> >
> > Parent:
> > normal between "roll"
> > and "after"
> > SOA0 SOA3
> > RRSIGpar(SOA0) RRSIGpar(SOA3)
> > DS1 DS2
> > RRSIGpar(DS) RRSIGpar(DS)
> >
> >
> > normal roll after
> >
> > SOA0 SOA1 SOA2
> > RRSIG10(SOA0) RRSIG10(SOA1) RRSIG10(SOA2)
> >
> > DNSKEY1 DNSKEY1 DNSKEY2
> > DNSKEY2
> > DNSKEY10 DNSKEY10 DNSKEY10
> > RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG2(DNSKEY)
> > RRSIG2 (DNSKEY)
> > RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY)
>
> I would label this as four events - initial, new key, DS change, key removal.
>
> I would also make the four look more asynchronous, like below:
>
>
> initial new key DS change key removal
>
> Parent Zone:
> SOA0 --------> SOA3 -------->
> RRSIGpar(SOA0) --------> RRSIGpar(SOA3) -------->
> DS1 --------> DS2 -------->
> RRSIGpar(DS) --------> RRSIGpar(DS) -------->
>
> Child Zone:
> SOA0 SOA1 --------> SOA2
> RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2)
> DNSKEY1 DNSKEY1 --------> DNSKEY2
> DNSKEY2 -------->
> DNSKEY10 DNSKEY10 --------> DNSKEY10
> RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY)
> RRSIG2 (DNSKEY) -------->
> RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY)
>
> This isolates the steps at the child vs the parent.
--
---------------------------------| Olaf M. Kolkman
---------------------------------| RIPE NCC
---------------------------------| JID: olaf at jabber.secret-wg.org
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
