On Fri, Feb 7, 2014 at 2:12 PM, Joe Abley <jab...@hopcount.ca> wrote: > > On 2014-02-07, at 13:18, Doug Barton <do...@dougbarton.us> wrote: > >> On 02/07/2014 10:14 AM, Warren Kumari wrote: >> >>> We are not allowing zones to go from unsigned to signed: >> >> Right, and because it says not to do it in the RFC no one is going to do it? >> :) > > I don't see how it would work. The parental agent has no automated way to > trust the C* RRSets published in a zone with no secure delegation from its > parent. > No no no... You don't see how it would work *securely*.
We actually say: "While it may be tempting, this SHOULD NOT be used for initial enrollment of keys since there is no way to ensure that the initial key is the correct one. If is used, strict rules for inclusion of keys like hold down times, challenge data inclusion etc., ought to be used, along with some kind of challenge mechanism. " The thought behind this was that an unsigned child *could* start publishing a CDS / CDSNKEY record. The child would then "securely, through some out of band mechanism" (hand wave, hand wave) contact the parent and they would agree that this is the correct key and the parent would then manually include it. Please note that A: we say don't do this, B: the hand-wave, and c: the fact that we are not specifying how this should happen. W > > Joe > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
