Moin! On 04 Mar 2014, at 10:00, Mark Andrews <[email protected]> wrote:
> If you replace a CPE it just pushed new DS records for the > new DNSKEY records it generates. This is equivalent to a > emergency key rollover and only impacts client that have > cached records for the zone or its DS records. What if the new device doesn't support DNSSEC signing? I still think there are reasons to support both archictectures (signing on the CPE or on the ISP auth name server). I have no problem with signing on the CPE. I just don't want to make it mandatory, as I have seen more problems with CPEs than with ISP operations (ok I may be biased here working in ISP operations for 15 years ;-). So long -Ralf _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
