[I have too many unread emails in dnsop, so excuse me if I am repeating what was said earlier.]
On 4. 10. 2013, at 15:31, Olafur Gudmundsson <[email protected]> wrote: > Matthijs and Paul > I insisted on renaming the CDS to CTA in the last version just so we can > clearly talk about options. > > Strictly speaking we have 6 possible ways forward > 1) DNSKEY only > 2) CDS as DS > 3) CDS + CDNSKEY as separate RR types > 4) CTA that can include both DS and DNSKEY as RDATA > 5) CDS + DNSKEY > 6) Do not standardize this is too hard/controversial ? Why just not use the DNSKEY flag bits similar to RFC5011? E.g. Bit 7 of the DNSKEY Flags designated as the 'SYNCHRONIZE' flag. If this bit is set to '1', AND the 'REVOKE' Bit[RFC5011] of the DNSKEY Flags is set to '0', AND the parent[*] operator sees a RRSIG(DNSKEY) signed by the associated key, then the parent MAY consider to add new DS record for this key to the parent zone records. If this bit is set to '1', AND the 'REVOKE' Bit[RFC5011] of the DNSKEY Flags is set to '1', AND the parent[*] operator sees a RRSIG(DNSKEY) signed by the associated key, then the parent MAY consider to remove DS record for this key to be removed from the parent zone. O. -- Ondřej Surý -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:[email protected] http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
