On Mar 4, 2014, at 10:39 AM, Michael Richardson <[email protected]> wrote: > For a forward zone that I owned, I would push a new DS record upwards. > The likely reason for a new CPE is that the blue smoke got out of the old > one. If the models were compatible, and I had a backup of the config, > then perhaps the private key would move, but that seems doubtful for most > users.
How are you going to push DS records upwards if you have lost your key? > 3) the perpass/National-Security-Letter situation. > If the key by default resides at the ISP, then it is the ISP that gets > served when some agency thinks it wants to divert traffic by changing DNS, > and once served, the net may may be much larger than desired. > By putting the key in the CPE, the legal papers will have to specify that > device. It may still be the ISP legal department that responds, but the > chance of screwing up is larger. This is probably the best argument I've heard against putting the keys on the ISP's server. However, you still have to make it work. _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
