Shumon Huque <shu...@gmail.com> wrote: > On Thu, Mar 22, 2018 at 12:50 PM, Tony Finch <d...@dotat.at> wrote: > > > > From the provider point of view, I think there are a couple of models: > > > > (a) provider has KSK and ZSK; zone owner needs to be able to import other > > provider public keys into this provider's DNSKEY RRset, and export signed > > DNSKEY RRset. > > > > (b) provider only has ZSK; zone owner needs to be able to export public > > keys, and import signed DNSKEY RRsets. > > One thing I would like to discuss is whether this document should recommend > just one model to maximise the chances that multiple providers implement a > common interoperable scheme that a zone owner can successfully deploy. > Providers might be persuadable to implement both models, but anything more > than two, I would guess, will not be practical.
I think providers need to implement all the functionality I sketched above. The zone owner might act as provider (a) holding the KSK private key; or they might outsource it. The risk the Olafur mentioned of a KSK provider dropping imported DNSKEYs from other providers is probably a matter for contracts and lawyers :-) But it sort of illustrates the point that this functionality is really useful for phased migration from one provider to another without going insecure. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Shannon: South veering west, 5 to 7, increasing gale 8 or severe gale 9 for a time. Rough or very rough, occasionally high for a time. Squally showers. Moderate or poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
