On 3/11/15 1:38 AM, Paul Vixie wrote:
Tsig won't scale for something like this. Please consider sig0.
Neither solves the problem of authenticating the entity which is sending the DS update.
The child synchronization draft does a better job, even though I still don't like that idea either.
I realize that I'm being a curmudgeon here, and that my stance (DNS is difficult, DNSSEC more so, thus you need to learn how to do them correctly or suffer the consequences) is not a popular one. But as we all know security and convenience are two ends of a continuum, and continuing to erode what little security is provided by DNSSEC (*cough*negative trust anchors*cough*) is steadily making the effort put into getting it off the ground meaningless.
Doug _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
