> On Thu, Aug 28, 2008 at 12:04:15AM -0400, Brian Dickson wrote: > > > > The DS may be provided by the operator of the subordinate zone, or built > > by the parent operator, > > most likely the latter. > > > thats an interesting premise. > why do you think this will be the case? > > (I would posit that the folks generating the DNSKEY will also > want to generate the DS hash on their known, trusted signing tools > instead of trusting the parent w/ the DNSKEY materials)
The parents can seen the public side of the DNSKEY materials which the DS identifies. > > Brian The problem is that *only* the child knows which DNSKEYs need DS records and which ones don't. The child may even want to have DS's published in advance of the associcated DNSKEY being published to reduce DNSKEY RRset size at KSK rollover by using a replacement strategy for the KSK. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop