liruochen (A) <li.ruoc...@huawei.com> wrote:
> We picked TSIG out of TSIG/SIG(0) because TSIG seems to have better
> support. We could use SIG(0) for the initial authentication key and
> TSIG for transaction keys (established via TKEY), but that requires
> clients/servers to implement both TSIG and SIG(0).For larger DNS operators SIG(0) is much safer because the contents of the authorization database is all public keys. For smaller entities, it's kind of a toss-up. TSIG wins because the tools to create SIG(0) have poorer documentation. I continue to believe that this is a HOWTO documentation thing, not an RFC BCP. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
