Re: [regext] draft-ietf-regext-bundling-registration-06.txt - Impact of DNSSEC?
On Tue, Oct 30, 2018, at 19:31, Mack, Justin wrote: > I see that most attributes are shared between domains in the bundle, > such as assigned nameservers. Does this mean that DS/DNSKEY information > is also shared between these domains? Not possible for DS data as the DS digest value is computed in part from the domain name. So even if using the same key to sign two domains, the DS values will be different. It is technically possible to share a given DNSKEY between multiple domains, but then it means their fate is cryptographically tied: one key compromission opens attacks to all of them. It is kind of choosing in the X.509 world if you do one certicate with X domains related or not on one side or on the other side doing X separate certificates each one with one domain. -- Patrick Mevzek p...@dotandco.com ___ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
Re: [regext] draft-ietf-regext-bundling-registration-06.txt - Impact of DNSSEC?
From: Mack, Justin Date: 2018-10-31 02:31 To: regext@ietf.org Subject: Re: [regext] draft-ietf-regext-bundling-registration-06.txt - Impact of DNSSEC? >Greetings REGEXT, > >What is the impact of DNSSEC on bundled domain names in this specification? > I think that there has no direct impact. >I see that most attributes are shared between domains in the bundle, >such as assigned nameservers. Does this mean that DS/DNSKEY information >is also shared between these domains? > The DNS administrator can choose whether DS/DNSKEY information can be shared or not. This document does not specify it. >As a DNS administrator, I assume I must create separate zones for each >domain in the bundle, if I want them all to resolve. In the case of (TLDs are different) LABEL.V-tld-A and LABEL.V-tld-B, you must create separated zones. In the case of (TLD is same) V-label-A.TLD and V-label-B.TLD, you can choose to create separated zones or not. >Must I share the >same Key Signing Keys (KSKs) and even Zone Signing Keys (ZSKs) between >the bundled zones? > As pointed above, The DNS administrator can choose whether DS/DNSKEY information can be shared or not. This document does not specify it. Thanks. Jiankang Yao >Thank you. >___ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
Re: [regext] draft-ietf-regext-bundling-registration-06.txt - Impact of DNSSEC?
Greetings REGEXT, What is the impact of DNSSEC on bundled domain names in this specification? I see that most attributes are shared between domains in the bundle, such as assigned nameservers. Does this mean that DS/DNSKEY information is also shared between these domains? As a DNS administrator, I assume I must create separate zones for each domain in the bundle, if I want them all to resolve. Must I share the same Key Signing Keys (KSKs) and even Zone Signing Keys (ZSKs) between the bundled zones? Thank you. Justin Mack MarkMonitor (Apologies for the rewritten URLs below.) On 10/11/2018 03:32 AM, internet-dra...@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Registration Protocols Extensions WG of the > IETF. > > Title : Extensible Provisioning Protocol (EPP) Domain Name > Mapping Extension for Strict Bundling Registration > Authors : Ning Kong >Jiankang Yao >Linlin Zhou >Wil Tan >Jiagui Xie > Filename: draft-ietf-regext-bundling-registration-06.txt > Pages : 24 > Date: 2018-10-11 > > Abstract: > This document describes an extension of Extensible Provisioning > Protocol (EPP) domain name mapping for the provisioning and > management of strict bundling registration of domain names. > Specified in XML, this mapping extends the EPP domain name mapping to > provide additional features required for the provisioning of bundled > domain names. > > > The IETF datatracker status page for this draft is: > https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dregext-2Dbundling-2Dregistration_=DwICAg=OGmtg_3SI10Cogwk-ShFiw=AG9XZF6h6bGkr7jkOsJt13dFth_3nZ0W8EKEBd3N1Q8=aFaF5o0f8sxrnIXNr-n6f34GgoarcpzONIom6hYx98M=7BwGRFn-P6YyGPxct5ZKg7otvozkt2_1DjybxjRGeR0= > > There are also htmlized versions available at: > https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dregext-2Dbundling-2Dregistration-2D06=DwICAg=OGmtg_3SI10Cogwk-ShFiw=AG9XZF6h6bGkr7jkOsJt13dFth_3nZ0W8EKEBd3N1Q8=aFaF5o0f8sxrnIXNr-n6f34GgoarcpzONIom6hYx98M=6041TLf1_Ae96JfqxwvLSaGB8ncwtR9_w-T0RcyDPDk= > https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Dietf-2Dregext-2Dbundling-2Dregistration-2D06=DwICAg=OGmtg_3SI10Cogwk-ShFiw=AG9XZF6h6bGkr7jkOsJt13dFth_3nZ0W8EKEBd3N1Q8=aFaF5o0f8sxrnIXNr-n6f34GgoarcpzONIom6hYx98M=95PmUhgVYQwYLfRS5qgJU1xqL4zLGt0a-tnjJU66Owo= > > A diff from the previous version is available at: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_rfcdiff-3Furl2-3Ddraft-2Dietf-2Dregext-2Dbundling-2Dregistration-2D06=DwICAg=OGmtg_3SI10Cogwk-ShFiw=AG9XZF6h6bGkr7jkOsJt13dFth_3nZ0W8EKEBd3N1Q8=aFaF5o0f8sxrnIXNr-n6f34GgoarcpzONIom6hYx98M=FuWB9lzdrjpHTIA4z4xkgs2FaGdYTGMWivotrb69wdw= > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > https://urldefense.proofpoint.com/v2/url?u=ftp-3A__ftp.ietf.org_internet-2Ddrafts_=DwICAg=OGmtg_3SI10Cogwk-ShFiw=AG9XZF6h6bGkr7jkOsJt13dFth_3nZ0W8EKEBd3N1Q8=aFaF5o0f8sxrnIXNr-n6f34GgoarcpzONIom6hYx98M=nissQXXatn7ed28hWmxicAgfpuOnSoGEK187lL577FU= > > ___ > regext mailing list > regext@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_regext=DwICAg=OGmtg_3SI10Cogwk-ShFiw=AG9XZF6h6bGkr7jkOsJt13dFth_3nZ0W8EKEBd3N1Q8=aFaF5o0f8sxrnIXNr-n6f34GgoarcpzONIom6hYx98M=-QfLw7Pg9e9yIYF1MZVjja4oOeM-dryMKDAbbiG06DM= ___ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext