On Tue, Feb 12, 2019 at 03:56:04PM +0800, [email protected] <[email protected]> wrote a message of 546 lines which said:
> the child zone publishes a TLSA record instead of a DS record in the > parent zone [RFC 6698 may need update]. The TLSA record contains the > certificate that identifies the child zone. The problem is that it would require all authoritative name servers of a zone to have the same key. This is inconvenient in some setups, for instance when part of the name servers is subcontracted. I suggest that it is better to have a TLSA record per name server and not per zone (draft-bortzmeyer-dprive-resolver-to-auth, section 2) _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
