On Thu, Mar 22, 2018 at 1:00 PM, Shumon Huque <shu...@gmail.com> wrote:
> On Thu, Mar 22, 2018 at 12:50 PM, Tony Finch <d...@dotat.at> wrote: > >> Olafur Gudmundsson <o...@ogud.com> wrote: >> > >> > I think only Model #1 makes sense, i.e Zone apex DNSKEY/CDNSKEY/CDS >> > RRset's are signed by zone publisher but rest signed by operator on the >> > fly. >> >> From the provider point of view, I think there are a couple of models: >> >> (a) provider has KSK and ZSK; zone owner needs to be able to import other >> provider public keys into this provider's DNSKEY RRset, and export signed >> DNSKEY RRset. >> >> (b) provider only has ZSK; zone owner needs to be able to export public >> keys, and import signed DNSKEY RRsets. >> >> Given this, I think a zone owner can implement either model 1 or >> model 2 from the draft. Model 3 requires sharing private keys. >> > > That's correct. Both model 1 and 2 seem quite viable to me. Maybe Olafur > can > elaborate on why he feels only model 1 makes sense. > > One thing I would like to discuss is whether this document should recommend > just one model to maximise the chances that multiple providers implement a > common interoperable scheme that a zone owner can successfully deploy. > Providers might be persuadable to implement both models, but anything more > than two, I would guess, will not be practical. > > Shumon. > > My preference is that the zone owner can say they are in full control of the zone authority Second reason is if provider B is signing the DNSKEY for the zone then it can remove the key for operator A which is not the intent of the zone owner. Olafur
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
