> > - The parent is already trusted with DNSSEC tools, since the parent is > > signing the parent's zone (including the DS record!) > > assuming facts not in evidence. there is active discussion > about having unsigned zones w/ DS records included.
Well you are not talking about DNSSEC 4035 then. Such DS records are just noise to DNSSEC 4035. > > - Nothing in the DNSKEY, or in the building of the DS, involves private > > keys, only public keys - so there is no trust issue with the materials. > > well... lets agree to disagree here. > > > - The DNSKEY is already published, so the parent can trivially get it, > > in a way that is not subject to poisoning (the NS glue is hardcoded in > > the parent zone, after all) May be published. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop