> > - The parent is already trusted with DNSSEC tools, since the parent is
> > signing the parent's zone (including the DS record!)
>
> assuming facts not in evidence. there is active discussion
> about having unsigned zones w/ DS records included.
Well you are not talking about DNSSEC 4035 then. Such DS
records are just noise to DNSSEC 4035.
> > - Nothing in the DNSKEY, or in the building of the DS, involves private
> > keys, only public keys - so there is no trust issue with the materials.
>
> well... lets agree to disagree here.
>
> > - The DNSKEY is already published, so the parent can trivially get it,
> > in a way that is not subject to poisoning (the NS glue is hardcoded in
> > the parent zone, after all)
May be published.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
