On Apr 19, 2013, at 12:41, Paul Wouters wrote: > Which is why the ZSK should never be trusted for a RRSIG over CDS to > update the DS recors, because then it could cycle the existing KSK out > of the DNSKEY RRset.
My response is that the CDS should not automatically cause a change to the DS, just marshall the data. I am pushing to rely on a second factor (the security over the c&c channel to the parent) to verify the request. I'm not comfortable with in-band scraping. PS - What if the KSK/SEP is compromised? Then the attacker can roll the legitimate KSK out and replace it with their own (assuming that they could do it as described). -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
