On Tue, Jul 28, 2015 at 10:52:43AM +0000, Wiley, Glen wrote: > It might help if you offered more specific points to your question. > Serving DANE style records for a TLD probably doesn¹t make much sense as > those records have more meaning for a SLD. Are you asking about running a > DNSSEC capable name server or serving a signed zone?
That was my take. DNSSEC is a PKI, so running a signed domain is like running a CA, yes. There are differences: - There's only one trust anchor for the clients (mostly), because DNSSEC has naming constraints in place from day one. - There's no CRLs and no OCSP (but stapling of DNSSEC data is possible, though still being nailed down [har]). Revocation is easy: change the keys (and wait for TTLs to pass). This does mean that you have to think carefully about what TTLs to use. - Enrollment and key rollover still need work, but that's kinda true for PKIX CAs too... Nico -- _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
