In message <f7c89744-a1ca-4fd6-b793-2f4e337e3...@verisign.com>, David Blacka wr
ites:
>
> On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote:
> >
> > On a related issue DS -> DNSKEY translations cannot be
> > performed until the DNSKEY is published in the zone. The
> > use of DS prevents pre-publishing of keys.
>
> Huh? You can generate a DS from the DNSKEY record that you have
> generated but not yet published, so you can pre-publish the DS just as
> soon as you could pre-publish your DNSKEY. As for actually *using*
> the DS as a trust anchor, you can't use either the DS or the DNSKEY
> prior to actually publishing and *using* the DNSKEY. Or maybe I just
> don't understand your point.
When you pre-publish a DS you prevent implementations that
use DNSKEYs from taking advantage of that pre-publication.
When you pre-prepublish DNSKEYs implementations that use
DS or DNSKEYs can taking advantage of that pre-publication.
> > I can see no real reason to recommend that DS records be
> > published in preference to DNSKEY records.
>
> They are small and easier to eyeball as correct.
>
> > DNSKEY -> DS is a conversion that can be at anytime.
> >
> > This make DNSKEY a better manditory record to publish.
>
> I don't follow.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
