On Wed, Oct 21, 2009 at 08:32:49AM +0100, ray.bel...@nominet.org.uk wrote: > > Mark, I din't think this is true given how the proposed protocol > > works. For a start, you often cannot fetch the DNSKEY RR for ARPA > > before running the protocol. > > Indeed LOCAL.ARPA would need to be unsigned. That needs to be added to > the draft. > > Since (as Bill points out) LOCAL.ARPA would be served much like RFC 1918 > space there's no way it could be signed and have the DS key present in the > parent, because there will be numerous separate instances of LOCAL.ARPA.
well... there are these cases where an island of trust gets its DS keys treated as a SEP and folks configure them anyway. and I'm sure we can get some kind folks to ensure that no one -EVER- shares a trusted keys file with others. just saying. --bill > > In any event the seeding query needs to be sent without the DO bit set, > since (some) CPE proxies are known to interfere with that. > > Ray > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop