[On 23 Nov, @ 21:00, �lafur wrote in "Re: [dnsop] comments on draft. ..."]Overall I think the question is: why provide more Security for the DS exchange than is provided for the NS exchange?
...because we can?
The inclusion of the RRSIG doesn't add "security." Any bozo can make a key pair and submit the public key, or the hash of the public key. So what if it is self-signed?
As far as provisioning is concerned, only the DS RRSet matters. (This is why I'm taking a fairly hard line with respect to the DNSKEY option.) EPP is a provisioning protocol, not a registry correctness protocol.
If a registry wants to be more proactive in correctness (e.g., per a business rule), the registry can reach out to the DNS of the registrant and pull the data (via port 53) for the check.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
I think my jabber client and SMS phone are talking about me behind my back.
. dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
