On Thu, Apr 12, 2012 at 08:27:21AM -0600, Stephan Lagerholm wrote: > Specifically in this case, you are assuming that the parent knows the > algorithms used for the DS record. He would have to in order to > validate. That might not always hold true. Additionally, the record is > not 'yours', it is just parked in your zone by the child. For the parent > to Tamper with either the NS or DS is IMHO not a good practice.
The DS is _not_ parked in the parent zone by the child. Unlike the NS record, the DS record is authoritative data at the parent, and never at the child. As I read the RFCs, the DS record is fully and completely parent-side data, and is the parent's assertion of its relationship to the child. I really think we have to get over the idea that the DS record is somehow "the child's data" that is merely represented in the parent side. That way of thinking about this is a good way, IMO, to get failed chains across the zone cut. IMO it is better to think of the DS/DNSKEY pair as a way of expressing accord across a zone cut, with each side contributing a portion of the effort and holding a portion of the responsibility. Best, A -- Andrew Sullivan a...@anvilwalrusden.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop