Mark Andrews <ma...@isc.org> wrote: > > The purpose was for the CDS/CDNSKEY tools to not have to fetch the > current DNSKEY RRset to be able to validate the records provided they > have a current KSK.
Oh, that's neat, thanks! Having thought about it a bit more I understand why the draft says what it does and why that makes sense. It's difficult that KSK can mean four different and not necessarily congruent things: 1. keys with the SEP bit set 2. keys that sign the DNSKEY RRset 3. keys with digests in the DS RRset 4. keys that are trust anchors My understanding is that for a validator the SEP bit is irrelevant. For 2 and 3 the distinction I needed is that the DS keys are the ones authenticated by the parent; the signing of the DNSKEY RRset allows the child to authenticate additional keys (i.e. ZSKs). But from the parent's point of view what matters is that the RRset as a whole is signed by a parentally authenticated key. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Tyne, Dogger, Fisher, German Bight: South or southwest 3 or 4, increasing 5 or 6, occasionally 7 later. Slight becoming moderate. Rain then showers. Moderate or good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
