[Opendnssec-develop] KSK Rollovers
Antoin Verschuren
Antoin.Verschuren at sidn.nl
Mon Jul 13 09:57:36 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
While I'm generaly in favour of such a mechanism, I often wonder who's responsibility it is that a chain of trust is still intact. I would like to consider the impact on the operation on this.
So first question is:
Should a parent check if a DS that is presented to him over a secure channel is the same as in a child zone before entering it into the parent zone, or is that the responsibility of the child ? (bogus in bogus out).
What are the arguments for or against this.
(Many parents don't do pre-delegation checks. What does DNSSEC change?)
Second:
If childs frequently check the DS at the parent zone, this could have quite an impact on the parent zone with many childs. Isn't a better mechanism that the parent check their DS against the DNSKEY of the child zone and report about that ? (queries are spread out over more zones and servers)
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/
> -----Original Message-----
> From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec-
> develop-bounces at lists.opendnssec.org] On Behalf Of Jakob Schlyter
> Sent: Sunday, July 12, 2009 11:51 AM
> To: Stephen.Morris at nominet.org.uk
> Cc: Opendnssec-develop at lists.opendnssec.org
> Subject: Re: [Opendnssec-develop] KSK Rollovers
>
> my idea is that we at some point write a program that given a zonelist
> compares the DNSKEYs at the child with the DS at each zone's parent,
> and report back. or it could take action to make sure they are in sync
> (using the appropriate child to registrar protocol).
>
> IMHO, writing such a program (reporting only) should be doable i about
> 3 points and I think we should consider writing one before 1.0.
>
> jakob
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: 9.6.3 (Build 3017)
wsBVAwUBSlsFEDqHrM883AgnAQhjBAgAgccU/M0rPV+rSYDrR4jJpPqQK9CWArK1
eyHJ33qrWyeMGvY4tNOupNUmhQiDq6pXVRTlyGb8bbNwRJLqit6+M4hygoHwAase
zDw9UJeGkas10vkwM7OlqCSMiwgriEHX7JJU0Y8NG0PZnqSeC52bQFfl5cp3NA/5
X4bBAwQsMsKtyumepgTN7gkEYMVoxMB8oOdTLs6gGREANunMe2Xcm94uhswLQ0/k
g2gUd79rNqkN9Y7sGUIHOp85RgZWk6wjNZSBXM8ZgYwrfK02dRNARl7rw8kAvDNz
04Pre/3AXqGuZgiRl9w5LyYeYmIRnk9Pwv1naN4iDEdR0ecL85NHKw==
=dZUC
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list