It appears that Johan Stenstam <[email protected]> said: >Ok, let me rephrase: As a synchronisation mechanism based on a signed DNS >UPDATE message that carries both the data to be >modified and the proof that the change request originated with the owner (the >child) and has not been modified in transit… >it works equally well with or without DNSSEC.
That is true, but it also means that the two ends have to arrange out of band to share the signing key, which is the usual scale problem that makes this stuff fail. I think that extending NOTIFY for the small set of cases in the draft is fine, particularly if we also add a case to notify for the DNS bootstrap. R's, John _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
