Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > > and in case of private/internal domain even logical - it's not useful to > push DS records to parent, and even possible with 2 versions of the same > zone.
You can have a secure delegation in the parent if you sign both versions of the zone with the same KSK. (There are lots of reasons that it might be difficult to do this in practice, though.) > On 08.02.18 19:12, Mark Andrews wrote: > > The point on OPTOUT is to allow the parent zone to add and remove > > insecure delegations without resigning. > > shouldn't that cause validation to stop? Well, that's what I expected :-) this is why I said it's arguable which is the right behaviour - it depends on your view of what opt-out does. Does it avoid re-signing work in zones with lots of insecure delegations (the authoritative point of view), or does it stop validation (the recursive point of view)? Mark's point is that the auth PoV is the original motivating purpose of opt-out. But really this question is beside the point. We'll have a lot less fun exploring these corner cases in the protocol if people stop trying to play silly buggers with the DNS namespace and delegate things properly. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Irish Sea: Southwest 5 to 7 veering northwest 6 to gale 8, perhaps severe gale 9 later. Slight or moderate, becoming moderate or rough. Rain then wintry showers. Good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
