On 8/12/20 8:39 PM, John Levine wrote: >> I am against adoption for two reasons. The draft as it currently is, >> requires that domain name owners and nameserver hosting administrators >> synchronise their nameserver TLS keys. > Why wouldn't you publish multiple DS records for multiple nameserver > keys, like the draft says? We have multiple DS for multiple DNSKEYs.
Yes, they would. Zones would surely publish their new DS additionally to the old one, but you don't want to use the corresponding cert until *all* of them have done so (+TTL). Well, you could tell them that unless they fail to do so by some deadline, the zones may get broken because of this...
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
