Joe Abley <jab...@hopcount.ca> wrote: > > There is hence an operational risk that data will leak (e.g. by > configuration changes, software downgrades that are pragmatic > necessities, side systems that publish zone data in ways other than the > DNS). > > By keeping data that is already exchanged over a (manual) out-of-band > channel separate, and not packaging them up with zone data, the existing > segregation of private vs. public is preserved and the task is simply to > automate a process that is currently manual.
Yes. It might make sense to put secret keys in catalog zones. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Cromarty, Forth, Tyne: South 3 to 5, becoming variable 3 or less. Smooth or slight. Occasional rain, fog patches. Moderate, occasionally very poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
