Miek, > Sam argues: > Section 4.4.2 suggests storing DNSKEYs, not DSs. I think this is bad > advice -- DS message digest algorithms may be used for signaling (of, > for example, use of NSEC3), so the child may want to choose the > message digest algorithm. Rather than require the parent to > support them all, why not just let the child provide the hash? > > I argue: > My opinion in this is that the DS is a parental record and as such a child may > not even be aware that it exists.
This reminds me of the discussion had not a long time ago about the epp-dnssec documents. There, we achieved consensus about the child providing the DS record to the parent and *optionally* key information (and so reflects it epp-secdns-07). IMHO operational practices should be coherent with that (well, or the other way round). Regards, Marcos . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
