On May 22 2010, George Barwood wrote:
Well, I have uploaded a draft :
http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-00.txt
Comments and/or indications of support are of course welome, on or off list.
Section 3:
| The CDS record MUST be signed with a Key Signing Key, that is a key
| for which there is a DS record.
(a) That's a new definition of "key signing key", I think. RFC3757 comes
closest with KSK = key with SEP bit = "which DNSKEYs are to be sent
for *generating* DS RRs" (my emphasis), but I take it you mean a key
for which a DS record *already* exists.
(b) Why? Why shouldn't a chain of trust through (say) a KSK and a ZSK
be enough? Insisting on a one-step chain seems contrary to the
spirit, at least, of RFC 4034 section 2.1.1.
--
Chris Thompson University of Cambridge Computing Service,
Email: c...@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop