On Thu, 12 Mar 2009, Mark Andrews wrote:
The principle here is that there is no error if "for a DS record there is no corresponding DNSKEY" and vice versa. All that is needed for validation is one "chain of trust." Accepting dangling references is not optimal but provides robustness.Ed, I'm aware there are multiple ways to do this. However publishing DS records only precludes some methods. Publishing DNSKEY records does not preclude any methods as one can *ALWAYS* generate a DS from a DNSKEY. The reverse requires you to look up a key which matches which means it must be available to be available to be looked up.
Which can be a good thing. For instance, adding keys to the DLV, I think it is better to give ISC the DS record. If they cannot get the DNSKEY, neither can the world, and then you don't want the DLV entry to be included. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
