In message <a06240804c5dc2ddef...@[10.31.200.116]>, Edward Lewis writes:
> At 8:35 +1100 3/10/09, Mark Andrews wrote:
>
> > This make DNSKEY a better manditory record to publish.
>
> While there's little empirical data on trust anchors to date, my
> inclination is to whole-heartedly disagree with this statement. So
> long as the DS record points to a unique DNSKEY record and the DS
> record involves less typing than a DNSKEY, I'd want to work with a DS
> record.
Has anyone on this list ever typed in a DNSKEY or DS as a
trust anchor? I would presume that most (99.9999%) people
would just cut-and-paste or the equivalent. I call "ease
of typing" a unjustifiable justification as no one will be
doing it even for DS records.
I will agree that DNSKEY's are harder to compare, but I
believe impossible trumps harder and it is impossible to
convert a DS to a DNSKEY prior to the publication of the
DNSKEY in the DNS. The reverse is not true.
Mark
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis
> NeuStar You can leave a voice message at +1-571-434-5468
>
> Getting everything you want is easy if you don't want much.
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
