On Tue, Mar 10, 2009 at 12:55:51PM +1100, Mark Andrews wrote:
>
> In message <f7c89744-a1ca-4fd6-b793-2f4e337e3...@verisign.com>, David Blacka
> wr
> ites:
> >
> > On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote:
> > >
> > > On a related issue DS -> DNSKEY translations cannot be
> > > performed until the DNSKEY is published in the zone. The
> > > use of DS prevents pre-publishing of keys.
> >
> > Huh? You can generate a DS from the DNSKEY record that you have
> > generated but not yet published, so you can pre-publish the DS just as
> > soon as you could pre-publish your DNSKEY. As for actually *using*
> > the DS as a trust anchor, you can't use either the DS or the DNSKEY
> > prior to actually publishing and *using* the DNSKEY. Or maybe I just
> > don't understand your point.
>
> When you pre-publish a DS you prevent implementations that
> use DNSKEYs from taking advantage of that pre-publication.
sounds like an implementation bugll
--bill
>
> When you pre-prepublish DNSKEYs implementations that use
> DS or DNSKEYs can taking advantage of that pre-publication.
>
> > > I can see no real reason to recommend that DS records be
> > > published in preference to DNSKEY records.
> >
> > They are small and easier to eyeball as correct.
> >
> > > DNSKEY -> DS is a conversion that can be at anytime.
> > >
> > > This make DNSKEY a better manditory record to publish.
> >
> > I don't follow.
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
