This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] DNSSEC deployment on the reverse tree.

Previous message (by thread): [dns-wg] Re: [db-wg] DNSSEC deployment on the reverse tree.
Next message (by thread): [dns-wg] DNSSEC deployment on the reverse tree.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sam Weiler weiler at watson.org
Wed Jul 6 05:13:59 CEST 2005

I'm delighted to see that the NCC has set an aggressive schedule for 
DNSSEC deployment.  Here are some comments on the draft procedures, as 
requested:

>  "DNSSEC Key Maintenance Procedure"
>  http://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html

At a first pass, this document looks very good.

>  "Procedure for Requesting DNSSEC Delegations"
>  http://www.ripe.net/rs/reverse/dnssec/registry-procedure.html

Many things in this look good (not rejecting keys without the SEP bit 
set, dealing with unsupported message digests, allowing multiple DS 
records), but I have a few concerns.

First, do you need to specify the encoding of the ds-rdata attribute 
in more detail?

I'm worried about the first two rules in the "Delegation Checks" 
portion of this procedure.  Assuming a working delegation chain is in 
place for each algorithm present in the DS set, it is really necessary 
to have each of the DNSKEYs present in the zone (the first rule)?  I 
suggest instead:
   -- For each algorithm present in the set of ds-rdata attributes, is
      there a matching DNSKEY available in the DNS for at least one of
      the ds-rdata attributes with that algorithm?  (Apologies for the
      poor word-smithing.)

Also, the second test (valid RRSIG, presumably on the DNSKEY RRset) is 
only possible for supported crypto algorithms.  Private algorithms may 
confound this rule.  I suggest:
    -- "For each of the supported algorithms (3 and 5) present in the
       set of ds-rdata attributes, is there a valid RRSIG on the
       DNSKEY RRset made with a DNSKEY that both matches the ds-rdata
       attribute and is published in the DNS?"  or
    -- "For each of the DNSKEYs identified by rule #1, is there at
       least one valid RRSIG on the DNSKEY RRset made with a DNSKEY of
       each algorithm?"  And in the text below, say "Tests #2 and #4
       will only be performed for supported algorithms".  (Again, I
       suggest 3 and 5).

Lastly, I don't understand this description of the web interface: "It 
will use the "ds-rdata:" attribute of the domain object currently 
available in the RIPE Whois Database to select the appropriate default 
DNSKEY RR. It will then select a new "ds-rdata:" attribute."  Does 
this mean that the current ds-rdata will always be replaced?

-- Sam

Previous message (by thread): [dns-wg] Re: [db-wg] DNSSEC deployment on the reverse tree.
Next message (by thread): [dns-wg] DNSSEC deployment on the reverse tree.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]