Patrik;
> We have a problem when "a domain changes hands" and the private DS key
> in some way is changed, should be changed, and sometimes is not changed
> as it should.
That is a manifestation of the fundamental problem that DNSSEC
is not end to end.
If DNSSEC were end to end, end users could have full control over
security information that propagation of changes could have been
instantaneous.
However, the reality is that, timely and secure revocation of
security information is possible only if there is secure real
time channel to revoke the security information exists between
peers.
Of course, timely and secure revocation of security information
on the channel needs yet another secure real time channel. :-)
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
