On Wed, Oct 21, 2009 at 08:32:49AM +0100, ray.bel...@nominet.org.uk wrote:
> > Mark, I din't think this is true given how the proposed protocol
> > works. For a start, you often cannot fetch the DNSKEY RR for ARPA
> > before running the protocol.
>
> Indeed LOCAL.ARPA would need to be unsigned. That needs to be added to
> the draft.
>
> Since (as Bill points out) LOCAL.ARPA would be served much like RFC 1918
> space there's no way it could be signed and have the DS key present in the
> parent, because there will be numerous separate instances of LOCAL.ARPA.
well... there are these cases where an island of trust
gets its DS keys treated as a SEP and folks configure them
anyway.
and I'm sure we can get some kind folks to ensure that no one
-EVER- shares a trusted keys file with others.
just saying.
--bill
>
> In any event the seeding query needs to be sent without the DO bit set,
> since (some) CPE proxies are known to interfere with that.
>
> Ray
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
