> On Thu, Aug 28, 2008 at 12:04:15AM -0400, Brian Dickson wrote:
> >
> > The DS may be provided by the operator of the subordinate zone, or built
> > by the parent operator,
> > most likely the latter.
>
>
> thats an interesting premise.
> why do you think this will be the case?
>
> (I would posit that the folks generating the DNSKEY will also
> want to generate the DS hash on their known, trusted signing tools
> instead of trusting the parent w/ the DNSKEY materials)
The parents can seen the public side of the DNSKEY materials
which the DS identifies.
> > Brian
The problem is that *only* the child knows which DNSKEYs
need DS records and which ones don't.
The child may even want to have DS's published in advance
of the associcated DNSKEY being published to reduce DNSKEY
RRset size at KSK rollover by using a replacement strategy
for the KSK.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
