On 02/06/2014 11:13 AM, Warren Kumari wrote:
This means that you can use this to update / replace / remove existing DS records (if you have keys A, B, C and D and want to stop using C, you simply publish A, B, D), but you cannot remove*all* DS records / go unsigned.
If we're willing to allow zones to go from unsigned to signed via CDS, why not go from signed to unsigned? Both situations represent DOS vectors via MITM.
Doug _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
