IETF Logo Mail Archive

Re: [dane] antique signer?

Mark Andrews <marka@isc.org> Sat, 14 April 2012 07:59 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A63A21F84E7 for <dane@ietfa.amsl.com>; Sat, 14 Apr 2012 00:59:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.159
X-Spam-Level:
X-Spam-Status: No, score=-2.159 tagged_above=-999 required=5 tests=[AWL=-0.161, BAYES_00=-2.599, J_CHICKENPOX_46=0.6, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oZvEQI43xOZ for <dane@ietfa.amsl.com>; Sat, 14 Apr 2012 00:59:47 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 157D421F84AF for <dane@ietf.org>; Sat, 14 Apr 2012 00:59:47 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id F33725F984C; Sat, 14 Apr 2012 07:59:30 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:619b:7a0d:7f38:b821]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id BB20F216C31; Sat, 14 Apr 2012 07:59:28 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 06DD01FB61F4; Sat, 14 Apr 2012 17:59:22 +1000 (EST)
To: bmanning@vacation.karoshi.com
From: Mark Andrews <marka@isc.org>
References: <20120410164131.GA2938@vacation.karoshi.com.>
In-reply-to: Your message of "Tue, 10 Apr 2012 16:41:31 GMT." <20120410164131.GA2938@vacation.karoshi.com.>
Date: Sat, 14 Apr 2012 17:59:21 +1000
Message-Id: <20120414075922.06DD01FB61F4@drugs.dv.isc.org>
Cc: dane@ietf.org
Subject: Re: [dane] antique signer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Apr 2012 07:59:48 -0000

In message <20120410164131.GA2938@vacation.karoshi.com.>, bmanning@vacation.karos
hi.com writes:
> 
> dnssec-signzone -o bar.scan.net bar.scan.net
> dnssec-signzone: warning: bar.scan.net:17: unknown RR type 'TLSA'
> dnssec-signzone: fatal: failed loading zone from 'bar.scan.net': unknown class/
> type
 
And the purpose of this was what?  To show that someone hasn't added
type specific code for TLSA records withing 24 hours of the type
being assigned despite there being no need for that type specific
code to be written to actually use TLSA records?

% dnssec-signzone -S -o example.net junk
dnssec-signzone: warning: junk:1: no TTL specified; using SOA MINTTL instead
Fetching ZSK 26127/RSASHA1 from key repository.
Fetching KSK 61969/RSASHA1 from key repository.
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                    ZSKs: 1 active, 0 stand-by, 0 revoked
junk.signed
% cat junk
@	SOA	. . 0 0 0 0 0
@	NS @
@	TYPE52	\# 11 00 00 00 1234567890abcdef
% 

Of course it isn't that hard to add support for TLSA but like all
things the changes will need to be reviewed.  You could have just
submitted patches instead of waiting for someone else to do it.  It's
not like you don't have the skill to do it.

% cat junk
@	SOA	. . 0 0 0 0 0
@	NS @
@	TLSA	0 0 0 1234567890abcdef
% dnssec-keygen example.net
Generating key pair..............++++++ ..............++++++ 
Kexample.net.+005+26127
[drugs:~/git/bind9] marka% dnssec-keygen -f KSK example.net
Generating key pair...........................................................................................................................................................................................................................+++ ...............................................................................+++ 
Kexample.net.+005+61969
% bin/dnssec/dnssec-signzone -S -o example.net junk
dnssec-signzone: warning: junk:1: no TTL specified; using SOA MINTTL instead
Fetching ZSK 26127/RSASHA1 from key repository.
Fetching KSK 61969/RSASHA1 from key repository.
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                    ZSKs: 1 active, 0 stand-by, 0 revoked
junk.signed
% 

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email