[On 16 Nov, @ 09:54, Edward wrote in "Re: [dnsop] comments on draft. ..."] > [On 15 Nov, @ 16:47, Edward wrote in "Re: [dnsop] comments on draft. ..."] > > At 10:12 -0500 11/15/04, Miek Gieben wrote: > > > > >So I went for DNSKEY and Ed goes for DS. Two people, two different > > >choices. I think we should let the implementers decide this and not > > >the draft writers, > > > > Well, it's deeper than that. We've implemented the DS option and not > > the DNSKEY option in our initial toolkit. You've implemented the > > DNSKEY option. > > > > The question is - if you had to do it all over again, would you have > > bothered with the DNSKEY option? Has there been any demand to use > > the DNSKEY option by any users/testers of SECREG? > > I think I would use the DNSKEY option again. Solely on the basis of > not bothering the child with generating the DS. And I really liked my > in-band thingy (which used DNSKEY, prob. just KEY at the time).
to reply to my own reply. After some internal discussion here at labs, the following is also possible: 1) get the DS via EPP from the child 2) parent retrieves the key via the DNS from the child 3) parent _transforms_ the key into a DS and compares that with the one from step 1 Step 3 falls under the category of *duh* :-) So I guess my main argument for using DNSKEY is now void, grtz Miek . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
