SIG(0) is much superior for machines updating their own data to TSIG as you don’t need a secondary storage for the TSIG key. You can replace a master server without having to worry about transferring TSIG secrets off a dead machine. You just copy the zone from a slave and go.
There are other scenarios where it is also superior like automaton delegating In the reverse tree. No I don’t think it should go. It should be widely implemented so it can be used. There is a lot of self fulfilling prophecy in the DNS of people will never is this so we won’t implement it. -- Mark Andrews > On 20 Jun 2018, at 06:48, Ondřej Surý <ond...@isc.org> wrote: > > Hi, > > as far as I could find on the Internet there are only SIG(0) implementation > in handful DNS implementations - BIND, PHP Net_DNS2 PHP library, > Net::DNS(::Sec) Perl library, trust_dns written in Rust and perhaps others I > haven’t found; no mentions of real deployment was found over the Internet > (but you can blame Google for that)... > > Do people think the SIG(0) is something that we should keep in DNS and it > will be used in the future or it is a good candidate for throwing off the > boat? > > Ondrej > -- > Ondřej Surý > ond...@isc.org > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
