On Dec 14, 2018, at 10:12 AM, A. Schulze <s...@andreasschulze.de> wrote: > > Am 11.12.18 um 06:38 schrieb Mukund Sivaraman: >> There was some discussion in last night's meeting about encoding keys in >> the DNS name of a nameserver, similar to DNSCurve. There are at least >> some issues with it: >> 1...4 > > 5. Encoding a key as DNS name of a nameserver makes key rotation harder. > Not impossible, but really much harder.
More generally, encoding a key anywhere else makes key rotation harder. It doesn't matter if it's a NS record, an HTTP header, or a text list of current keys. All of these can be automated, and that automation will mostly work, and will cause massive problems in the rare times it doesn't. Having a second place to assure the value of a key is valuable, but that inherently adds some fragility. 'Twas always thus. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy