On Mon, 26 Mar 2018, Paul Vixie wrote:
what i'd like is something more. KEY, SIG and NXT had multiple interoperable implementations, but were not actually functional in any end-to-end way, and were thus replaced by RRSIG, DNSKEY, DS, and NSEC. later we moved the target and added NSEC3 and then NSEC3PARAM.
The way I remember this is that while while the KEY/SIG/NXT didn't provide the chain of trust, it was otherwise functional and DS could have been added here. The desire to only allow DNS to use the KEY record (and exclude IPsec keys) was the main drive to rename/renumber these to DNSKEY/RRSIG/NSEC. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
