On 2011-04-20, at 17:50, George Barwood wrote: > The arguments for operating with a split still seem very weak to me.
Since you're proposing a SHOULD NOT, I think the pertinent point is (a) whether it does any harm, and (b) whether it is useful in some circumstances. I have seen no discussion of any harm, and several examples of why it might be useful. Hence, to me, SHOULD NOT does not seem appropriate. > However rolling the KSK should be easy, since it is good security practice to > change > secret keys regularly. The first clause seems like a rampant generalisation, and the second is contentious (see ekr's various comments on this list regarding the cryptographic benefit of rolling non-compromised RSA keys). > Fully automatic updates of the parent DS RRset would make this technique more > practical. Given that there is no sign of such a mechanism in general, and (in my opinion) there's at least one significant use case where any such mechanism is unlikely to be deployed (the root zone), I don't see a lot of practical value in that comment, either. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
