On Apr 23, 2013, at 11:52, Paul Hoffman wrote: > > It is perfectly reasonable for a parent to have a policy of "we will not look > for a CDS until we have gotten an authenticated request to do so", and that > request mechanism can be a standardized HTTP request. Designing the latter is > trivial and can be done in parallel with the CDS work. > > FWIW, I think that the out-of-band "make me look" protocol is quite > worthwhile. The more I look at some of the weirdness that is in CDS > (artificial differences of KSK and ZSK, partial signing, etc.), the more I > think that trying to do this in DNS under DNSSEC is stretching the DNS too > far. >
I agree with both of those statements. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
