On Thu, Mar 22, 2018 at 12:50 PM, Tony Finch <d...@dotat.at> wrote: > Olafur Gudmundsson <o...@ogud.com> wrote: > > > > I think only Model #1 makes sense, i.e Zone apex DNSKEY/CDNSKEY/CDS > > RRset's are signed by zone publisher but rest signed by operator on the > > fly. > > From the provider point of view, I think there are a couple of models: > > (a) provider has KSK and ZSK; zone owner needs to be able to import other > provider public keys into this provider's DNSKEY RRset, and export signed > DNSKEY RRset. > > (b) provider only has ZSK; zone owner needs to be able to export public > keys, and import signed DNSKEY RRsets. > > Given this, I think a zone owner can implement either model 1 or > model 2 from the draft. Model 3 requires sharing private keys. >
That's correct. Both model 1 and 2 seem quite viable to me. Maybe Olafur can elaborate on why he feels only model 1 makes sense. One thing I would like to discuss is whether this document should recommend just one model to maximise the chances that multiple providers implement a common interoperable scheme that a zone owner can successfully deploy. Providers might be persuadable to implement both models, but anything more than two, I would guess, will not be practical. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
