On 3/11/15 11:11 AM, Edward Lewis wrote:
On 3/11/15, 13:31, "Doug Barton" <do...@dougbarton.us> wrote:
Neither solves the problem of authenticating the entity which is sending
the DS update.
Note that my request was not for a means to update the parent but to
prevent the child from shooting themselves in the foot. A much less
involved operation.
Perhaps I wasn't clear enough in my plea.
FWIW, I understood where you were going, and I don't disagree. I was
responding to Paul and Mark who were not only headed off into the weeds,
but were getting close to the poison oak. :)
Is there a reason the grand toolset cannot build in a breaking system to
prevent taking unwise steps? Like refusing to remove a DNSKEY if the DS
set exists and does not reference any other key?
I think it would be Ok to put up a large, difficult to ignore warning
that the user is about to do something painfully stupid, sure. How much
farther than that to go is an exercise for the implementors.
And the issue of non-BIND authoritative servers not doing their own
iterative queries is a red herring. I would be astonished if those
systems were not on a host that had access to a resolver.
Doug
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
