Skimming the archive after Ed posted a question, I noticed this question was still hanging.
> > > operationaly does this presume that the parent > > > can/MUST beable to do a zone transfer > > > > No need for that. > > but that will work - yes? Are you asking if 'dig @ns.secret-wg.org secret-wg.org DNSKEY +dnssec' works? > > > > or will there > > > be a mutually agreeable, common location where the > > > parent can retreive the key via standard queries? > > > > A query to the DNSKEY RR at the child's apex with the SEP bit set? > > does that presume a single DNSKEY? I read that question as "does that presume a signle DNSKEY with the SEP flag set?" Good point, the child may be rolling their keys and therefore have two SEP keys at its apex. On the other hand, if I understand the context correct, the query will only be done in certain special circumstances, e.g. in order to recreate the hash. It can be assumed that using the data the registry has on-file the registry can sort out which key to pick if there are multiple SEP keys. So I do not think that the child having multiple SEP keys is a problem in a scenario where you have to re-generate DS RRs as long as you have some record of which key to pick. If you rely on the SEP flag to identified the key the DS should point to and there are no keys with the SEP flag set you may find yourself in trouble. --Olaf ---------------------------------| Olaf M. Kolkman ---------------------------------| RIPE NCC . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
