On Thu, Jan 21, 2010 at 11:14:25AM -0500, Edward Lewis wrote: > At 11:02 -0500 1/21/10, Andrew Sullivan wrote: >> Sure, but this may well be the exception and not the rule. > > And I've heard the opposite. "automated-registry[0]"-run zones are in > the minority. (I.e., second level domains, third-level domains, etc...)
Sure. I think the problem here is that we don't know. I have no clue how many systems are updated exclusively by Dynamic Update vs. by someone opening the zonefile in vi. I don't think anyone else knows, either: the scope of DNS operations is far too widely dispersed for anyone to have done anything like a survey. Therefore, the best we can do is recomment the techniques appropriate to different circumstances. It seems to me that one such technique is, "If it's easier for you to transmit a new DS/DNSKEY than it is for you to roll a KSK, then you don't need a separate KSK. Just roll the one key and be done with it." A separate question, then, is whether the operational regularity that comes from exercising the above technique all the time outweighs the risks associated with frequent key rolls that result from getting the timing wrong. (My personal opinion is a cautious "yes", but I don't know how firmly I hold that view.) A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
