On 02/07/2014 10:14 AM, Warren Kumari wrote:
On Fri, Feb 7, 2014 at 1:12 PM, Doug Barton <do...@dougbarton.us> wrote:
On 02/06/2014 11:13 AM, Warren Kumari wrote:
This means that you can use this to update / replace / remove existing
DS records (if you have keys A, B, C and D and want to stop using C,
you simply publish A, B, D), but you cannot remove*all* DS records /
go unsigned.
If we're willing to allow zones to go from unsigned to signed via CDS, why
not go from signed to unsigned? Both situations represent DOS vectors via
MITM.
We are not allowing zones to go from unsigned to signed:
Right, and because it says not to do it in the RFC no one is going to do
it? :)
Doug
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
