On Apr 23, 2013, at 11:58, Paul Wouters wrote: > On Tue, 23 Apr 2013, Edward Lewis wrote: > > If your nameserver requires the private ZSK for inline/ondemand signing, > like bind or powerdns, then having the KSK offline on another machine is > a very valid use case. The CDS record should not break that.
I don't agree with that - if the ZSK is compromised, what good is having a non-compromized KSK? For anyone other than the root, changing the KSK is pretty trivial. Even without CDS. Back in the day, one of the fears was weak host security. That's gotten a lot better. And the use of hidden masters inside protected enclaves has become much more common. With these advancements over time, complicating key management is less desirable. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop