> On May 15, 2018, at 3:57 PM, John Levine <jo...@taugh.com> wrote:
> I think it's a swell idea to offer people DNSSEC testing services but
> it's hopeless to conflate it with key rotation.

I completely agree with you on key rotation, once the zone has already
been operating signed.  But the document also covers enrollment:

   This document describes a simple protocol that allows a third party
   DNS operator to: establish the initial chain of trust (bootstrap
   DNSSEC) for a delegation; update DS records for a delegation; and,
   remove DS records from a secure delegation.  The DNS operator may do
   these things in a trusted manner, without involving the Registrant
   for each operation.  This same protocol can be used by Registrants to
   maintain their own domains if they wish.

It is at the time of initial enrollment that I'd like to propose greater
due diligence.


DNSOP mailing list

Reply via email to