[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNSKEY flags field
On Monday 14 June 2004 3:49 pm, Edward Lewis wrote:
> Tossing out this - how safe is it to assume that if the hash in a DS
> RR matches the DNSKEY RR with proto=4, that the DNSKEY RR is genuine?
> Even if the RRSIG over the DNSKEY set indicates keys that are all
> proto=4?
I suppose it is fairly safe. My thinking is that if it wasn't (if Olaf's
crypto concerns were actually a concern, then DS is problematic already).
> Ahh - we lose the ability to detect signatures out of time. I know
> we've kicked around the utility of signing the DNSKEY RRset in light
> of the DS RR hash. The reason the signatures are still relevant is
> because they are the only means the child has to limit the time the
> key set is "validate-able." (The DS RR is also signed and thus time
> limited, but this time limit is supplied by the parent.)
This is an issue. A bigger issue, in my mind, is that a validator would
*only* trust that key. You would be unable to chain that trust to a ZSK, for
example. Very annoying.
--
David Blacka <davidb@verisignlabs.com>
Sr. Engineer VeriSign Applied Research
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>