On 10/31/17, 15:52, "DNSOP on behalf of Paul Wouters" wrote:
>this zone can never be stolen from me by a parent.
Can you elaborate on this, what do you mean "stolen" by a parent?
The reason I am asking - choosing one strategy (any key, configured key rules,
DS rules) is based on what one mo
On 10/31/17, 20:50, "DNSOP on behalf of Mark Andrews" wrote:
>Secondly doing deepest match on trust anchors is the only secure way to
>prevent a parent overriding the child zone's security policy.
By this, do you mean choice of cryptographic algorithm and/or length? To
achieve "independenc
If I remember the discussions correctly, there was a sense that the
resolver decides the local policy. And that yes, those are the three
options. Perhaps the options should be made more clear in a text somewhere.
On Tue, 31 Oct 2017, Ólafur Guðmundsson wrote:
There are three ways to treat this
On 11/1/17, 08:17, "DNSOP on behalf of Patrik Wallstrom"
wrote:
>If I remember the discussions correctly, there was a sense that the
>resolver decides the local policy. And that yes, those are the three
>options. Perhaps the options should be made more clear in a text somewhere.
The
On 1 Nov 2017, at 6:48, Edward Lewis wrote:
The reason why I'm digging into this is that "things change."
As a recap: this thread started with Moritz quoting from RFC 4035 and
asking:
Did we miss something, or is there indeed clarification needed?
I believe that RFC 4035 indicates succes
On Tue, Oct 31, 2017 at 11:30 AM, Paul Wouters wrote:
>
>
> > On Oct 31, 2017, at 22:25, Ólafur Guðmundsson
> wrote:
> >
> >
> > There are three ways to treat this case:
> > Any-TruestedKey-works
> > ConfiguredKey-trumps-DS
> > DS-trumps-configuredKey
> >
> > I think the Last one is the "most" c
On 11/1/17, 11:17, "DNSOP on behalf of Ólafur Guðmundsson"
wrote:
>Thus the question is twofold
>
>a) is there need for clarification in how protocol works possibly with
>recommendation for resolver "tunable" settings.
>
This is something that might be fit into -validator-requirements-. (Wh
Bob Harold writes:
> I don't understand this section:
>
> 5.1.1. On-the-fly Signatures
> ...
>One possibly mitigation for addressing the risk of keeping the zone
>signing key online would be to continue to keep the key for signing
>positive answers offline and introduce a second key f
