The optimal place to sign DNS zones is where they are
generated. For homenet this is in the home.
For zeroconf the CPE generates DNSKEY records and pushes
DS records for them to the parent zone. We know how to do
this securely.
If you replace a CPE it just pushed new DS records for the
new DNSKEY records it generates. This is equivalent to a
emergency key rollover and only impacts client that have
cached records for the zone or its DS records.
For split horizon zones you use the same DNSKEYS in all
versions of the zone. This prevents issues with cached
DS/DNSKEY records as machines move from being locally
connected to externally connected.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
