Olafur Gudmundsson <o...@ogud.com> wrote: > > I think only Model #1 makes sense, i.e Zone apex DNSKEY/CDNSKEY/CDS > RRset's are signed by zone publisher but rest signed by operator on the > fly.
>From the provider point of view, I think there are a couple of models: (a) provider has KSK and ZSK; zone owner needs to be able to import other provider public keys into this provider's DNSKEY RRset, and export signed DNSKEY RRset. (b) provider only has ZSK; zone owner needs to be able to export public keys, and import signed DNSKEY RRsets. Given this, I think a zone owner can implement either model 1 or model 2 from the draft. Model 3 requires sharing private keys. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Biscay: Variable 3, becoming southwesterly 4 or 5, occasionally 6. Moderate or rough. Occasional rain. Good occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
