This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC deployment on the reverse tree.
- Previous message (by thread): [dns-wg] Re: [db-wg] DNSSEC deployment on the reverse tree.
- Next message (by thread): [dns-wg] DNSSEC deployment on the reverse tree.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sam Weiler
weiler at watson.org
Wed Jul 6 05:13:59 CEST 2005
I'm delighted to see that the NCC has set an aggressive schedule for DNSSEC deployment. Here are some comments on the draft procedures, as requested: > "DNSSEC Key Maintenance Procedure" > http://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html At a first pass, this document looks very good. > "Procedure for Requesting DNSSEC Delegations" > http://www.ripe.net/rs/reverse/dnssec/registry-procedure.html Many things in this look good (not rejecting keys without the SEP bit set, dealing with unsupported message digests, allowing multiple DS records), but I have a few concerns. First, do you need to specify the encoding of the ds-rdata attribute in more detail? I'm worried about the first two rules in the "Delegation Checks" portion of this procedure. Assuming a working delegation chain is in place for each algorithm present in the DS set, it is really necessary to have each of the DNSKEYs present in the zone (the first rule)? I suggest instead: -- For each algorithm present in the set of ds-rdata attributes, is there a matching DNSKEY available in the DNS for at least one of the ds-rdata attributes with that algorithm? (Apologies for the poor word-smithing.) Also, the second test (valid RRSIG, presumably on the DNSKEY RRset) is only possible for supported crypto algorithms. Private algorithms may confound this rule. I suggest: -- "For each of the supported algorithms (3 and 5) present in the set of ds-rdata attributes, is there a valid RRSIG on the DNSKEY RRset made with a DNSKEY that both matches the ds-rdata attribute and is published in the DNS?" or -- "For each of the DNSKEYs identified by rule #1, is there at least one valid RRSIG on the DNSKEY RRset made with a DNSKEY of each algorithm?" And in the text below, say "Tests #2 and #4 will only be performed for supported algorithms". (Again, I suggest 3 and 5). Lastly, I don't understand this description of the web interface: "It will use the "ds-rdata:" attribute of the domain object currently available in the RIPE Whois Database to select the appropriate default DNSKEY RR. It will then select a new "ds-rdata:" attribute." Does this mean that the current ds-rdata will always be replaced? -- Sam
- Previous message (by thread): [dns-wg] Re: [db-wg] DNSSEC deployment on the reverse tree.
- Next message (by thread): [dns-wg] DNSSEC deployment on the reverse tree.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]