On 2 jul 2010, at 09.13, Wolfgang Nagele wrote:
> Maybe i am missing something here, but with the publication method you also
> have
> the bootstrap that has to happen out-of-band. Meaning i as a child will always
> have to provide my parent in a secure way (which is not established by then)
> with my initial (C)DS record. Why not use that step to perform above mentioned
> exchange?
The possibility to use a non-DNSSEC scheme for authentication is one of the
reasons I support this draft. Any parent/child API does need a shared secret
(or keypair), whether it is used for a RESTful HTTP API or dynamic DNS UPDATE
doesn't change this. Trying to reuse DNSSEC itself for this authentication, and
still support both the initial key transfer and key rollover in case of key
compromise, does IMHO not fly.
jakob
--
Jakob Schlyter
Kirei AB - www.kirei.se
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
