[Dnssec-deployment] accepting DS vs DNSKEY (was: KSK bytes)

Peter Koch pk at ISOC.DE
Sun May 8 08:59:53 EDT 2011

On Wed, May 04, 2011 at 08:35:17AM -0400, Andrew Sullivan wrote:

> Now, one could argue that the parent-side NS records are an analogy,
> but I'm not entirely sure I agree because NS is used on both sides of
> the cut.  

you could well argue that the child registers what it has, not what it
wants and that the parent published what the protocol gave it for its
side of the zone cut. In the case of the NS RRSet, both parent and
child use the same RR type. In the case of the key, there's DNSKEY
at the child and DS at the parent, so the child registers its key
(or keys) and the parent happily publishes the corresponding DS RR(s).

> I don't want to be doctrinaire, and I can think of arguments in either
> direction.  But I am not convinced there is only one right answer here.

When we did our little survey to find what RR type TLD registries were
using as teh registration subject, the most frequent response was that
"we're using DS because that's what EPP demands". Now, this was kind
of true back then, but not only has the EPP part been corrected in the
meantime, it also provided little technical (or protocol architecture)
argument while at the same time biasing "operational wisdom" in one direction.


More information about the Dnssec-deployment mailing list