On Mon, 22 Apr 2013, Warren Kumari wrote:
Um, I'm probably missing something obvious here, but you cannot use CDS to
enroll in DNSSEC. This means that you'll have to use the original out-of-band
system -- what if we extend Wes's radio buttons to include ZSK / KSK[0]?
Update the DS record when (pick one):
[ ] Ever a properly signed CDS record exists
[ ] Ever a properly signed CDS record exists and I click an OK button here
[ ] Never. I enjoy the ctrl-v experience.
Require that this is signed with the KSK?
[] Yes, I have separate process for my keys.
[] Nope, they all live on the same filesystem. If someone gets one, they
have the other.
Obviously the parent now has more state (and the child's logic is a little
trickier), but...
You are making keys without the SEP bit an indirect Secure Entry Point.
They become their own boss. In such a case, you might as well give that
key the SEP bit (and not ruin the meaning of the bit for others)
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop