> On Nov 29, 2018, at 09:20, Mark Andrews <ma...@isc.org> wrote: > > You can also just publish DS records for both DNSKEY RRsets with the caveat > that > both RRsets have to have all algorithms as is published in the combined DS > RRset.
True. But than you are publishing non-public internal network details on the public internet. And you still have to get different DNS groups to work together to update these in time. We thought it better to just whitelist the domains in the provisioning system and have the VPN gateway (automatically or manually) pull/update the proper DS records. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
