On Jul 5 2011, George Barwood wrote:
The intent is to restrict the ability to update the parent DS to those who have access to key signing keys. Thus where there is a split responsibility (similar to the root zone where IANA has the KSK private key, and Verisign has only the ZSK private key ), only the senior party can update the parent DS. The party that only holds the ZSK private key cannot update the parent and take over the zone.
OK - maybe I should have thought of that, but I think it does need to be made clear in the draft. But it remains the case that not all signed zones have this division of responsibilities[*], or even have separate KSKs and ZSKs. Maybe this ought to be a policy matter for each parent-child pair, rather than a protocol MUST/SHOULD. [*] and to have them in separate *organisations* is pretty much unique to the root zone - where we certainly don't have to worry about how to update the DS records in the parent zone :-) -- Chris Thompson University of Cambridge Computing Service, Email: c...@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH, Phone: +44 1223 334715 United Kingdom. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
