Dear all,
http://tools.ietf.org/id/draft-barwood-dnsop-ds-publish-02.txt
There does not seem to be a lot of feedback on this draft ?
(some comments on version 01 only)
Yet, couldn’t this lead to better acceptance of DNSSEC deployment ?
Personally I had two questions/remarks when I (only) just read this version
:
1) First paragraph of “Usage” :
“Child zone MAY send a NOTIFY message”
→ if this is a regular DNS Notiry message to make a slave check SOA on a
slave,
secure configuration of the master would surely block notify messages !
(the “parent” of a domain is not guaranteed to be slave for it !)
2) “Usage” paragraph 3 : parent should check SEP flag is set.
This would mean only DS’s corresponding to KSK’s can be in the parent zone ?
Isn’t this contradictory with other statements to use only one type of
DNSKEY ?
(not that I am in favour of that – I already contributed I am not,
but I accept that some may prefer only one type)
Kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem - Belgium
TEL.: +32 (0) 2 401 3030
MOB.:+32 (0)476 984 391
[email protected]
http://www.eurid.eu
Want a .eu web address in your own language? Find out how so you don’t miss
out!
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
