Bob Harold writes: > I don't understand this section: > > 5.1.1. On-the-fly Signatures > ... > One possibly mitigation for addressing the risk of keeping the zone > signing key online would be to continue to keep the key for signing > positive answers offline and introduce a second key for online > signing of negative answers.
How dreadfully embarrassing. I'm responsible for that. It was an underdeveloped thought about how multiple keys can possibly be used in a zone to sign different answers. Clearly in the form it made it into the draft it's a bit nonsense. My apologies. It's kind of orthogonal to the main thrust of the BULK proposal though so I expect this bit will just disappear in the next version. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop