Daniel Kahn Gillmor <[email protected]> wrote: > On Fri 2018-12-14 19:12:41 +0100, A. Schulze wrote: > > > > 5. Encoding a key as DNS name of a nameserver makes key rotation harder. > > Not impossible, but really much harder. > > i agree that it makes it harder, but i'm not convinced that it is *much* > harder.
In my setup, if server keys are in the server name then rotating them requires liaison work over email to humans at 8 other organizations. (And my setup is not big.) If server keys are alongside then it's easy. > But maybe it's worth reviewing what we're hoping to gain from the > keys-in-names approach too: > > a) indication that private queries are expected to work to this > particular resolver > > b) cryptographic identity material > > But what if we cared only about (a) ? could we signal with a > special/magic terminal label just that private queries are expected to > work, without embedding a key there? That could be a useful approach. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Lundy, Fastnet, Irish Sea: South 6 to gale 8, increasing severe gale 9 at times, perhaps storm 10 later. Moderate at first in Irish Sea, otherwise rough or very rough, occasionally high except in Irish Sea. Occasional rain. Good, occasionally poor. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
