> > i disagree. asking your parent zone to calculate a hash leaves open > > the possibility that someday the way that hash is to be calculated > > will change and you will know about the change but your parent won't, > > and also the possibility that your parent will calculate it wrongly. > > I think this is little bit far fetched. If your parent cannot even > calculate the correct DS, they will be able to correctly generate > the signature for the DS?
You're comparing apples and oranges here. Why wouldn't be parent be able to generate the signature? Paul's postulating, as I did on Monday, a future DS digest algorithm change. That could happen independently of crypto algorithm change, and it might happen for reasons (like signalling) that aren't sufficient to make the parent to update its signing procedure or software (as a broken algorithm might). I don't have on opinion re: keeping the DNSKEY option, but I think we need to keep the DS option. -- Sam . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
