[On 14 Nov, @ 21:28, Marcos wrote in "Re: [dnsop] comments on draft. ..."] > Ed, > > > I'd like to raise the question - does any registry out there *need* > > the DNSKEY option - as opposed to thinking it might be better. Not > > to argue the point, but to help *me* understand whether or not the > > DNSKEY is a needed option. > > For me as well, the natural option is the provision of the DS record. > However in a discussion with somebody (Miek, was it you?), he mentioned > that it could be useful for the registry to have the DNSKEYs handy, in > case the algorithms to distille the DS out of it would change.
I don't remember exactly... but my opinion always has been that a child doesn't really have to deal with DSs, that's a parent only thing. So why burden a child with the DS creation? Also if a parent has access to the child's key, you can use that to verify oob messages which are signed with the private key of child (if you wanna go that route). OTOH the keys _are_ in the DNS, so you could also query for them if you need them. grtz Miek . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
