> On Jul 8, 2018, at 6:02 PM, George Michaelson <g...@algebras.org> wrote: > > So how about use of a PGP key which is a payload in TXT signed over by > the ZSK/KSK so the trust paths bind together? > > fetch one DNS record +sigs, check against the TA (which has to be a > given) and then..
Currently in the zone digest draft DNSSEC is not mandatory. That is, the zone needn't necessarily be signed and a receiver need not perform the validation if they don't want to. Even without DNSSEC the digest gives you a little protection from accidental corruption. But not from malicious interference of course. It seems kind of silly to me to double up on public key cryptosystems. We already have keys attached to zones and software that generates and validates signatures. DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
