For BIND is is essentially useless as we use DNSKEYs as our trust
anchors.  You can go from a DNSKEY to a DS record.  You can't go
from a DS record to a DNSKEY, you can only select from a set of
DNSKEYs the one or more (not that I expect that to ever happen)
that matches a DS.

If you are going to publish trust anchors they should be easy to
use.  No one types in DS or DNSKEY records so data length really
shouldn't be a consideration.  They are all entered using cut-and-paste.
There is no reason to only publish DS records.

Mark

In message <70fa923d-c067-492e-a1ea-7b88754c2...@gmail.com>, Suzanne Woolf writ
es:
> All,
> 
> First, thanks to the engaging on this.
> 
> On Oct 5, 2015, at 5:20 PM, "Joe Abley" <jab...@hopcount.ca> wrote:
> > 
> > Perhaps it's time to sit back and wait for others here to express an opinio
> n.
> 
> I'd like to hear opinions from others in the WG with an operational interest 
> in the DNSSEC root trust anchor. 
> 
> Does this document meet a need you have? If so, how well does it meet the nee
> d, and what would it take (if anything) for the document to meet that need mo
> re effectively?
> 
> I'm trying not to put the mechanics (whether/how/by whom published) ahead of 
> the actual purpose of publishing.
> 
> 
> thanks,
> Suzanne
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to