On Fri, Feb 7, 2014 at 1:12 PM, Doug Barton <do...@dougbarton.us> wrote: > On 02/06/2014 11:13 AM, Warren Kumari wrote: >> >> This means that you can use this to update / replace / remove existing >> DS records (if you have keys A, B, C and D and want to stop using C, >> you simply publish A, B, D), but you cannot remove*all* DS records / >> go unsigned. > > > If we're willing to allow zones to go from unsigned to signed via CDS, why > not go from signed to unsigned? Both situations represent DOS vectors via > MITM.
We are not allowing zones to go from unsigned to signed: "This document does not address the initial configuration of trust anchors for a domain." and "While it may be tempting, this SHOULD NOT be used for initial enrollment of keys since there is no way to ensure that the initial key is the correct one. If is used, strict rules for inclusion of keys like hold down times, challenge data inclusion etc., ought to be used, along with some kind of challenge mechanism." W > > Doug > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
