On 04/22/2013 02:19 PM, Joe Abley wrote:
On 2013-04-22, at 17:17, Wes Hardaker <[email protected]> wrote:
Wes Hardaker <[email protected]> writes:
For what it's worth: I'm sort of on the fence when it comes to needing
to sign with the KSK. There are so very very few key-split owners out
there that it's not a huge market for them, and I doubt any of them will
want to do CDS anyway to their parent.
FYI: I meant to mention that there is a significant number of operators
that do actually protect their keys with different levels of protection
and keep their KSKs in a "better vault".
That's interesting. Can you cite examples?
The only example I know of is the root zone, which is weird and special for a
variety of non-technical reasons. Last time I looked neither the BIND9 nor
OpenDNSSEC toolchains supported offline-KSK operations without a lot of hackery.
Various TLDs discussed their plans to take similar steps at various
points in the past. There is no reason to believe that other sites
(particularly large financials) wouldn't be doing the same.
That said, I don't see any reason to introduce "ZSK can validate a CDS
record," and lots of reasons to require the KSK(s) to do so. If off-line
KSK users can't use CDS to do their thing, I'm sure they would consider
that an acceptable compromise.
Doug
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
