[dns-operations] DNSSEC issue - why?

Edward Lewis edward.lewis at icann.org
Tue Jun 9 12:53:52 UTC 2015


On 6/9/15, 7:42, "Mark Andrews" <marka at isc.org> wrote:

>How could it be done "per key"?  keyid's don't identify a key.  They
>identify a set of keys.

Perhaps but in practice that's not happened.  Some key management software
won't produce a DNSKEY RR matching an existing keyid.  And - "per key"
could still be done via matching within the subset.  But this is a trivial
point.

In general adding one hash of DS alg 2 is probably sufficient to say that
all the 1's are old, but then the RFC ought to have handled this better.
(Like recommending that if any DS 1's are there and a DS 2 is added, have
a DS1 and DS2 for all keys [or for the pendantic] keyid's.)

A long time opinion of mine is that RFCs ought to stick to defining
terms/protocol points in one place and then separately talk about
operational profiles - preferably in documents that can be referenced
separately (like in RFP's and contracts).  I found that trying to make
code prefer newer technologies over old by fiat seems to backfire (like
the way DNS used to prefer v6 over v4 and now seems to have reversed,
looking at some observed behavoral studies).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150609/f7cc5fcf/attachment.bin>


More information about the dns-operations mailing list