On Tue, 23 Apr 2013, Edward Lewis wrote:
What I am saying is, if there are cases of someone thinking that it is worth the time to split KSK and ZSK, I'd urge them to reconsider.
If your nameserver requires the private ZSK for inline/ondemand signing, like bind or powerdns, then having the KSK offline on another machine is a very valid use case. The CDS record should not break that. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
