unless, of course, DNSSEC allowed for signing individual records instead of zones.
manning bmann...@karoshi.com PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 30June2015Tuesday, at 6:57, Tony Finch <d...@dotat.at> wrote: > John Dickinson <j...@sinodun.com> wrote: >> >> I have been planning to write a draft to address 1 by having validators send >> the DS of known TA's in an edns0 option code. This info, could then be logged >> by the authoritative nameservers. > > Good idea, though just the key tags should be enough. (I think key > management software ensures that tags don't collide.) If you only include > the EDNS option when querying for the DNSKEY RRset then that tells the > server which zone to the trust anchor key tags belong to. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > Forties, Cromarty, Forth, Tyne, Dogger: South or southeast 4 or 5, increasing > 6 at times. Slight or moderate. Mainly fair. Moderate or good. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
