On Sat, 22 Jun 2013, Vernon Schryver wrote:
It's something that a signer solution should really check for before
allowing a zone to be pushed, even if that means some kind of internet
connectivity to get those DS records.
If a "signer solution" is something done by, for, or in a parent
domain (e.g. the gTLD operator, registry, or registrar),
thanks but no thanks.
No. I meant the signer that actually signs the child zone, should verify
that it indeed will not cause an invalid child to be published by
rolling a key, leaving its child zone with just bogus DS records at the
parent.
Paul
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs