On May 16, 2014, at 10:24 AM, Nicholas Weaver <nwea...@icsi.berkeley.edu> wrote: > No its not. All you have to be willing to do is release the constraint on > "all signatures offline". Doing online signatures allows all the CDN > functionality you want to be DNSSEC validated (not like DNSSEC really does > much good for A records anyway...).
It's quite a bit more complicated than that. The main problem is that certain existing practices won't work and have to be changed somewhat. It's entirely do-able; the problem is that someone who is already doing those practices may see the work required to add DNSSEC support prohibitively risky. If you want to get into the details, I can see if there's a way to get you a copy of the discussion, but at this point it's moot since the document has been approved. I think it would be beneficial if someone with a real interest in this topic could write a draft about it explaining existing practice in more detail and talking about how to morph that so that it works with DNSSEC. As you say, on-line signing is the first step. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop