On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote:
On a related issue DS -> DNSKEY translations cannot be
performed until the DNSKEY is published in the zone. The
use of DS prevents pre-publishing of keys.
Huh? You can generate a DS from the DNSKEY record that you have
generated but not yet published, so you can pre-publish the DS just as
soon as you could pre-publish your DNSKEY. As for actually *using*
the DS as a trust anchor, you can't use either the DS or the DNSKEY
prior to actually publishing and *using* the DNSKEY. Or maybe I just
don't understand your point.
I can see no real reason to recommend that DS records be
published in preference to DNSKEY records.
They are small and easier to eyeball as correct.
DNSKEY -> DS is a conversion that can be at anytime.
This make DNSKEY a better manditory record to publish.
I don't follow.
--
David Blacka <[email protected]>
Sr. Engineer VeriSign Platform Product Development
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
