>We could have written >“After observing CDS records for 15 days or 2 resigning cycles which ever is >longer, accept them and upload DS” >Is that better ? >It sets expectations
I think my users (the ones who know about DNSSEC) would not be happy to hear that their entirely valid signed zone won't be verifiable for two weeks, just because I am not as cool as some others are. >But there is the case Parent happens to know the operator of the domain and >via out of band knowledge can be >sure the domain is operated a that party. In this case the upload should not >suffer any delay. It needs to be stronger than that, define a small set of automatable ways (ideally just one) that the uncool child can verify its bona fides to the parent. It's fine for domains to opt out of them for security reasons, but in most cases where the registration is only secured by a password, it'll be fine. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
