On Tue, Oct 31, 2017 at 11:30 AM, Paul Wouters <p...@nohats.ca> wrote:
> > > > On Oct 31, 2017, at 22:25, Ólafur Guðmundsson <ola...@cloudflare.com> > wrote: > > > > > > There are three ways to treat this case: > > Any-TruestedKey-works > > ConfiguredKey-trumps-DS > > DS-trumps-configuredKey > > > > I think the Last one is the "most" correct from an operational > expectation, > > Not really, as that would mean you cannot have internal only zones in > split-dns view, unless you are > building in weird assumptions like ConfiguredKeyTrumpsNSECbutNotDS > > > But I suspect the middle one is implemented > > It better, it is the only working solution :) > > The question is that what the "users" expect? I agree that first two have the best operational behaviors, and the third one blocks "split-DNS with different KEY" if Internal domains use the same key as External "equivalent" ones then there is no issue Thus the question is twofold a) is there need for clarification in how protocol works possibly with recommendation for resolver "tunable" settings. b) is there need for operational guidance for "split DNS" DNSSEC I think the answer on both is yes. Olafur
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
