Edward Lewis wrote:
In the context of the DNSSEC protocol, I think that the security parameters of one zone should not be linked to the parameters in another zone.
(...)
In this case, the signature validity period of the DS RRSet is something that should be wholly determined by the parent. The validity period is a measure of the faith in the protection of the private key.
I do agree with the general notion of chinese walls between child and parents but I'm picking on this particular point.
The signature validity interval over the DS is also a measure of faith in the protection of the private key _of_the_child. The security parameters of the child and parent are linked. Off course a parent could not care about its children but I'd think I'd allow for being more or less protecive for some of my children.
--Olaf
. dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
