> On Apr 7, 2016, at 5:33 PM, John Levine <jo...@taugh.com> wrote:
> 
>> We could have written 
>> “After observing CDS records for 15 days or 2 resigning cycles which ever is 
>> longer, accept them and upload DS” 
>> Is that  better ? 
>> It sets expectations 
> 
> I think my users (the ones who know about DNSSEC) would not be happy
> to hear that their entirely valid signed zone won't be verifiable for
> two weeks, just because I am not as cool as some others are.
> 
>> But there is the case Parent happens to know the operator of the domain and 
>> via out of band knowledge can be
>> sure the domain is operated a that party. In this case the upload should not 
>> suffer any delay. 
> 
> It needs to be stronger than that, define a small set of automatable
> ways (ideally just one) that the uncool child can verify its bona
> fides to the parent.  It's fine for domains to opt out of them for
> security reasons, but in most cases where the registration is only
> secured by a password, it'll be fine.
> 
> 
> R's,
> John

John, does the challenge mode addresses your concerns?
i.e. parent gives the “uncool” operator something to insert into the zone to 
prove they can change the zone. 

Olafur

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to