On Mon, Nov 15, 2004 at 07:57:04AM -0500, Scott Hollenbeck wrote: > > For me as well, the natural option is the provision of the DS record. > > However in a discussion with somebody (Miek, was it you?), he > > mentioned > > that it could be useful for the registry to have the DNSKEYs > > handy, in > > case the algorithms to distille the DS out of it would change. > > This was the primary reason that the current proposal includes the option to > do one or the other. It adds some complexity. Is the benefit worth it or > not?
I didn't follow the debate that led to the choice to include both. But previous experience suggests that only including one (either!) would be seen as dictating security policy or procedure in some way. I think keeping both is better. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
