I agree, model 1 and model 2 seems doable. Note that RFC 6781 has some
text for model 2 on rollover when changing DNS operators.
https://tools.ietf.org/html/rfc6781#section-4.3.5
Matthijs
On 22-03-18 13:50, Tony Finch wrote:
Olafur Gudmundsson <o...@ogud.com> wrote:
I think only Model #1 makes sense, i.e Zone apex DNSKEY/CDNSKEY/CDS
RRset's are signed by zone publisher but rest signed by operator on the
fly.
From the provider point of view, I think there are a couple of models:
(a) provider has KSK and ZSK; zone owner needs to be able to import other
provider public keys into this provider's DNSKEY RRset, and export signed
DNSKEY RRset.
(b) provider only has ZSK; zone owner needs to be able to export public
keys, and import signed DNSKEY RRsets.
Given this, I think a zone owner can implement either model 1 or
model 2 from the draft. Model 3 requires sharing private keys.
Tony.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
