I'd look at RFC 9718, about publising the DNSSEC root keys ...
I think it may be critical to have a signature which is separate from the HTTPS cert because you want IANA to be the ultimate authority over the contents with zero dependency on another agent.
The DNSSEC keys have both, per 9718. If you're OK with https, use that, if not, get the signature and check that too. Sounds like a good model.
Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
