On Fri, Jun 18, 2010 at 12:35:31PM -0400, Edward Lewis wrote: >> Remember I'm arguing against the KSK+ZSK split in most cases, a different >> thread will be started on key size recommendation. > > I don't think KSK+ZSK is a dead or outmoded idea.
If I understand Olafur correctly, he doesn't either. He just thinks that in a large number of cases, it's not the right approach to achieve the goal of reliable operation (including the reliable availability of data for validation). I agree with him, and tried to make this point in Anaheim. The arguments for KSK/ZSK splits are at best appropriate for certain classes of operation, and I don't think we should publish a document that says that such a split is generally speaking a best practice. I think the arguments for that claim are weak, because there is countervailing evidence to the effect that a single key in the right circumstances will be more reliable and less likely to be messed up by operator error. That is especially true for smaller zones without professional administrators. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop