On 16 Apr 2014, at 8:02, Warren Kumari <war...@kumari.net> wrote: > I think I made it even clearer: > The first time a DNS operator signs a zone, they need to communicate > the keying material to their parent through some out-of-band method to > complete the chain of trust. Depending on the desires of the parent, > the child might send their DNSKEY record, a DS record, or both.
I don't think you mean "the first time a DNS operator signs a zone". You're making an assumption that a zone, once signed, will never be unsigned. In fact, a zone can be signed, then unsigned, any number of times. "Whenever a zone's insecure delegation is replaced by a secure delegation, the DNS operator needs to communicate the keying material..." Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
