Hi, > My concern was not about the updates but rather about the gigantic > number of keys a busy parent would have to create, revoke, store, renew, > etc. > > It doesn't make sense to me to utilize symmetric encryption (such as > TSIG) to solve this problem. A scheme that utilized an asymmetric key > would be a much better fit. DNSSEC itself would be a strong candidate > here. The draft does not restrict which signature method is to be used. Anything that DNS update messages support can be employed here. SIG(0) for example.
Also the draft has details about the up- and downside of using an additional channel via DNS update messages in section 5 (Security Considerations). Regards, Wolfgang _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
