On Apr 19, 2013, at 11:21, Wes Hardaker wrote: > Besides the other two comments: DS records are signed with the ZSK, and > the CDS document explains why it needs to be signed with the KSK instead > (also).
That is one of the things I don't like about the CDS semantics. I don't want special signing rules and would hope that using a "second factor" would suffice. When it comes to the root zone, the example given to me as the justification for this, CDS wouldn't apply and if it did, there's the second factor being the transport of the keys via the KSR and specific steps in the KSK ceremony script. (For some reason, when I try to write this, I lose the terminology I want to use.) I am unconvinced that the special signing rules mentioned in the draft are warranted and is one of the main reasons I am not a supporter of the draft. I have a fundamental objection to that specific provision. Yes, even understanding the rationale for it, I don't buy the reason. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
