On Wed, 1 Apr 2015, Nico Williams wrote:
DNS servers exist which serve dynamically-generated data, and DNS servers exist which serve signed (on the fly) dynamically-generated RRsets with non-existence proofs. IIUC PowerDNS is one example.
And requiring the private DNS key is available on all name servers for online signing really adds a huge amount of risk to the server in case of compromise - an attacker could make up OPENPGPKEY records. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
