On 9. 10. 2013, at 15:44, Warren Kumari <[email protected]> wrote: > [0]: For example, there are some children who want to publish two (or > multiple) DS records in their parent, and keep one of the DNSKEYs hidden / > private / secret. That way, if their key is compromised they can just start > signing with the new DNSKEY.
I would expect them to use the existing mechanisms (EPP/registrar web) to publish such DS record for hidden DNSKEY. Thus I am not convinced that we need to provide out-of-channel mechanisms for such cases. I think that most cases would be covered by DNSKEY flags (as suggested in my previous email) and the rest can be handled via existing provisioning mechanisms. O. -- Ondřej Surý -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:[email protected] http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
