On Tue, 23 Apr 2013, Edward Lewis wrote:
The point is that there are arrangements where you can't talk directly. And there are arrangements were you can talk directly. And there are arrangements where the lingua franca is DNSKEY and not DS. There are many environments. That is why I'm fighting a one-size fits all, in-band only solution.
People suggesting CDS are not suggesting implementing this is mandatory, and is the One True Way. In fact, it is quite the reverse. CDS proponents want to _ability_ to signal inband using the DNS and existing trust anchors (DS-KSK pairing), and no desire to abolish existing out of band methods. Everyone who does not like any of this in-band DNS stuff is free to ignore CDS records at children, and not publish them for parents. Whether dictated by (in)sanity, lawyers, or the White Knights scaling the ICANN Ivory Towers or Ayn Rand. I get it, you don't like the concept. So don't use it. For those who _do_ like the concept, let's get to a specification that can be useful to most without crippling the basic use case of "using an existing authenticated trust relationship in-band to the DNS for automated updates of the DS record" (and/or NS/GLUE records) Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
