> From what I can tell, this document only describes how to publish and >retrieve a key in DNS/DNSSEC, i.e. in what format. I don't see any >mention of a procedure by which a key would get published. ...
As others have noted, that's true. For one thing, this draft and the companion S/MIME draft have serious design problems* that make it unlikely that they will be adopted outside of small niches, so I wouldn't put a lot of effort into fixing them. But more important, most DNS management systems are protected with passwords now. That's how the management consoles at domain registrars work (they control the NS records) and it's how most DNS management consoles work. Some use hardware or software tokens or client certs, but most don't, so there's little point in building a steel door for those cardboard boxes. Even if there are super-secure HSMs for zone signing, they can only sign what the DNS management system already has. The PGP certs you would retrieve would presumably have the same WoT endorsements as if you retrieved them any other way, so you can continue to use WoT to decide whether to accept them. R's, John * - not just the address guessing issue, see zillions of messages in the list archive for details _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
