[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] RRTYPE request: template for proposed RKEY RRtype

To: Ondřej Surý <ondrej.sury@nic.cz>
Subject: Re: [dnsext] RRTYPE request: template for proposed RKEY RRtype
From: Chris Thompson <cet1@cam.ac.uk>
Date: 04 Dec 2008 17:12:33 +0000
Cc: Jim Reid <jim@rfc1035.com>, Samuel Weiler <weiler@watson.org>, namedroppers@ops.ietf.org
In-reply-to: <e90946380812040423r2328c801qf430810ec5652b53@mail.gmail.com>
References: <20081121190713.GC20868@shinkuro.com> <492C5095.7000105@connotech.com> <BF116FAE-4FD2-4572-ADD4-CB2646A6462F@rfc1035.com> <alpine.BSF.1.10.0812030143020.2327@fledge.watson.org> <637C4516-7BDA-4489-861E-E3D6E241D48D@rfc1035.com> <Prayer.1.3.1.0812041200110.24890@hermes-1.csi.cam.ac.uk> <e90946380812040423r2328c801qf430810ec5652b53@mail.gmail.com>
Reply-to: cet1@cam.ac.uk

On Dec 4 2008, Ondřej Surý wrote:

It's just a key. Rollover is irrelevant. When a new key is needed, the
 old one is retired and the data gets encrypted with the new one. If  this
isn't done, the decryption fails. Which is the sole  responsibility of
whoever publishes that key and the encrypted NAPTRs  associated with that
key.


Unless you are proposing that RKEY records always have a TTL of zero,


Or owner can publish two RKEYs and start encrypting with second key
after all caches are clear.  (similar to pre-publish method of rotating
DNSKEYs).  Or am I missing something?


No, this is probably quite adequate, together with a rubric that clients

need to try all RKEYs in the RRset, possibly weakly distinguished byfootprint, etc.

It's just that there is nothing about this in draft-reid-dnsext-rkey-00,
and I think there ought to be. But on further consideration, I agree
that there doesn't need to be anything about it in the template itself.

--
Chris Thompson
Email: cet1@cam.ac.uk


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- [dnsext] RRTYPE request: template for proposed RKEY RRtype
  - From: Andrew Sullivan <ajs@shinkuro.com>
- Re: [dnsext] RRTYPE request: template for proposed RKEY RRtype
  - From: Thierry Moreau <thierry.moreau@connotech.com>
- Re: [dnsext] RRTYPE request: template for proposed RKEY RRtype
  - From: Jim Reid <jim@rfc1035.com>
- Re: [dnsext] RRTYPE request: template for proposed RKEY RRtype
  - From: Samuel Weiler <weiler@watson.org>
- Re: [dnsext] RRTYPE request: template for proposed RKEY RRtype
  - From: Jim Reid <jim@rfc1035.com>
- Re: [dnsext] RRTYPE request: template for proposed RKEY RRtype
  - From: Chris Thompson <cet1@cam.ac.uk>
- Re: [dnsext] RRTYPE request: template for proposed RKEY RRtype
  - From: "Ondřej Surý" <ondrej.sury@nic.cz>

Prev by Date: Re: [dnsext] errata 4034 - 5011
Next by Date: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-09.txt
Previous by thread: Re: [dnsext] RRTYPE request: template for proposed RKEY RRtype
Next by thread: [dnsext] RRs with 0 TTL
Index(es):
- Date
- Thread