Paul Wouters <[email protected]> writes: > Interesting draft. I'm not yet sure if I prefer this over the CDS draft > or not, or whether this draft should exclude DNSKEY/DS sync. I like that > this draft could potentially solve all parent-child record syncing.
Thanks; it's the latter problem that I was actually trying to solve. The DS additions, as mentioned in the draft, were added late just as a "food for thought" experiment. Personally, I agree more with the CDS draft that a CDS record would need to be signed by the SEP-bit key, or else the security model of the SEP-bit is greatly changed. But, I understand that others have argued against this saying that there is really very few zones where the keys are protected differently or "owned" differently. So, if that's the case then CSYNC should be a suitable mechanism? Hence, the thought experiment. I'll get back to you about your other comments, but I appreciate (already) you writing them up. Thank you! -- Wes Hardaker Parsons _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
