[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt

To: <namedroppers@ops.ietf.org>, <Mark.Andrews@isc.org>
Subject: Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
From: "Scott Rose" <scottr@antd.nist.gov>
Date: Thu, 19 Dec 2002 07:41:07 -0500
Organization: NIST
References: <200212190351.gBJ3phdv044664@drugs.dv.isc.org>

If I remember the discussions that brought the KSK draft out:  It was never
meant to be a protocol relevant bit, but a administrator/human readable bit.
The problem found during the workshops was the inability to distinguish
between keys just by their fingerprint.  So a bit was proposed to signify
which KEY RR held the KEY signing key.

A conscious decision was made to make this a "human readable only" bit in
the flags and not assign any protocol value to it.  It would have lead to
more complexity for the resolver and the spec that is unnecessary.  Not all
zones will have KEYs and KSKs and should not be made to have them.   A
resolver shouldn't care if the KSK bit is one and it is still used to sign
the zone.

Scott

----- Original Message -----
From: <Mark.Andrews@isc.org>
To: <namedroppers@ops.ietf.org>
Sent: Wednesday, December 18, 2002 10:51 PM
Subject: Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt


>
> There are multiple conflicting definitions of what a KSK is.
>
>    With the DS record [5] the concept of key-signing and zone-signing
>    keys has been introduced.  Key-signing keys are the keys that sign
>    the keyset only.  In general, key-signing keys are the keys that are
>    pointed to by DS records and are the first keys to be used when
>    following a chain of trust into the zone.  The key-signing keys only
>    sign the KEY RRset at the apex of a zone, zone- signing keys sign all
>    other data in a zone.  We propose a flag to distinguish the key-
>    signing key from other keys in the KEY RR set during DNSSEC
>    operations.
>
>    By setting the KSK flag on a particular key, zone administrators
>    indicate that that key SHOULD be used as the secure entry point for
>    their zone.  Therefore zone administrators SHOULD set the bit only
>    for zone keys that are used to sign the KEY RRset and are intended to
>    act as the first link in the chain of trust for their zone.
>
> The last sentence should be changed to:
>
> Therefore zone administrators SHOULD set the bit only
>    for zone keys that are used to sign the KEY RRset only and are intended
to
>    act as the first link in the chain of trust for their zone.
>
> to bring the definitions into alignment.
>
> There should be a note that if KSK is set on a key that there
> MUST be other keys without KSK set to sign the rest of the zone's
> contents as KSK's are restricted to only signing the KEY RRset.
>
> Mark
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742          INTERNET: Mark.Andrews@isc.org
>
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
  - From: Randy Bush <randy@psg.com>
- Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
  - From: Mark.Andrews@isc.org

References:
- Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
  - From: Mark.Andrews@isc.org

Prev by Date: Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
Next by Date: Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
Previous by thread: Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
Next by thread: Re: draft-ietf-dnsext-keyrr-key-signing-flag-04.txt
Index(es):
- Date
- Thread