unless, of course, DNSSEC allowed for signing individual records instead of zones.
manning [email protected] PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 30June2015Tuesday, at 6:57, Tony Finch <[email protected]> wrote: > John Dickinson <[email protected]> wrote: >> >> I have been planning to write a draft to address 1 by having validators send >> the DS of known TA's in an edns0 option code. This info, could then be logged >> by the authoritative nameservers. > > Good idea, though just the key tags should be enough. (I think key > management software ensures that tags don't collide.) If you only include > the EDNS option when querying for the DNSKEY RRset then that tells the > server which zone to the trust anchor key tags belong to. > > Tony. > -- > f.anthony.n.finch <[email protected]> http://dotat.at/ > Forties, Cromarty, Forth, Tyne, Dogger: South or southeast 4 or 5, increasing > 6 at times. Slight or moderate. Mainly fair. Moderate or good. > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
