At 8:18 -0500 11/19/04, [EMAIL PROTECTED] wrote:
> 2) parent retrieves the key via the DNS from the child
operationaly does this presume that the parent can/MUST beable to do a zone transfer or will there be a mutually agreeable, common location where the parent can retreive the key via standard queries?
Wouldn't (minimally, assuming BIND) this do the trick?
dig registrant.example DNSKEY
That would give the "live" view of the data.
'Course, if it's cache poisoning you fear, you can direct the dig to a server, protect it with a mutually agreed upon message protection mechanism (TSIG, etc.) yadda, yadda, yadda.
Why would a zone transfer be needed?
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar
I think my jabber client and SMS phone are talking about me behind my back. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
