> On May 15, 2018, at 3:57 PM, John Levine <[email protected]> wrote:
>
> I think it's a swell idea to offer people DNSSEC testing services but
> it's hopeless to conflate it with key rotation.
I completely agree with you on key rotation, once the zone has already
been operating signed. But the document also covers enrollment:
This document describes a simple protocol that allows a third party
DNS operator to: establish the initial chain of trust (bootstrap
-----------------------------------------------
DNSSEC) for a delegation; update DS records for a delegation; and,
------------------------
remove DS records from a secure delegation. The DNS operator may do
these things in a trusted manner, without involving the Registrant
for each operation. This same protocol can be used by Registrants to
maintain their own domains if they wish.
It is at the time of initial enrollment that I'd like to propose greater
due diligence.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
