At 13:55 29/11/2004, Scott Hollenbeck wrote:
Olafur,
> Now on to new issue:
> The RRSIG in the EPP transfer.
> This text was put in based on my suggestion, upon reflection I think
> this is a bad idea and should be removed from the document.
> If we send DS then the recipient needs to query for the DNSKEY RRset
> to evaluate the signatures, this forces the registrant to have the new
> SEP key on-line.
If we remove the DNSKEY data, the RRSIG stuff goes with it because
<secDNS:sig> is currently part of <secDNS:keyData>. Are you suggesting
something else? If we remove it I can see a need for some text to describe
the operational issue that you've touched on above.
It was not perfectly clear from the draft that RRSIG was only on the
DNSKEY RR submission mechanism, if the choice is between
DNSKEY+RRSIG or DS
Then my vote is for DS only mechanism.
Olafur
-Scott-
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
