Re: DNSKEYset in -protocol Section A example

["Scott Rose" <scottr@nist.gov>]

You are correct, but I think we may be adding more complexity for very
little efficiency.  Most DNS admins are not security gurus, so presenting a
list of conditionals to go through to determine how many RRSIGs are needed
at the keyset would be confusing.  If all the other RRsets are signed by
both DNSKEYs, why not the DNSKEY RRset?

While there is some efficiency, dropping one RRSIG from the zone file (and
DNSKEY responses) doesn't gain enough to add more complexity to the signing
rules IMHO.

However, since this would be a spec change, I cc'd namedroppers.
Scott


----- Original Message ----- 
From: "Sam Weiler" <weiler@watson.org>
To: <DNSSEC-editors@east.isi.edu>
Cc: <lcws@secret-wg.org>
Sent: Wednesday, January 21, 2004 4:24 AM
Subject: DNSKEYset in -protocol Section A example


> Kind Editors,
>
> It should only be necessary to sign a DNSKEYset with the DNSKEY(s)
> that are intended to be used as SEPs unless there are multiple
> algorithms in the DNSKEYset, in which case there must be at least one
> RRSIG made by each algorithm.  Is there any specific guidance anywhere
> about the first part of that requirement?  Section 2.2 doesn't address
> it specifically.
>
> Perhaps this could be combined with the one-key-per-zone discussion
> and SEP clarifications (see my earlier comments on -protocol section
> 2.1).
>
> I noticed this because the signed zone in -protocol appendix A has its
> apex DNSKEYset signed by both of the DNSKEYs.  That's not necessarily
> wrong, but the text should point out that it isn't necessary.
>
> -- Sam
>
>


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>