There's arguments both sides about cross signing, counter signing and independent self-signing. If you want to promote out of band zone exchange, it has to be signed. The key it signs with is immaterial if you either direct knowledge of the PK in a PKI, or accept a trust anchor relationship over it, or a web of trust.
So do you prefer (for instance) that the ZSK be used outside of DNSSEC to sign a detached signature over the file, irrespective or content order, if the file is to be made available? Because if you basically prefer its *not signed* for this mode of transfer, you've stepped outside the model: you now demand the file is checked on load, element by element, against the TA, rather than being integrity checked by a MAC signed by the issuer, which permits eg direct binary loadable, or other states. -G On Tue, Jul 10, 2018 at 7:47 AM, Wessels, Duane <dwess...@verisign.com> wrote: > >> On Jul 8, 2018, at 6:02 PM, George Michaelson <g...@algebras.org> wrote: >> >> So how about use of a PGP key which is a payload in TXT signed over by >> the ZSK/KSK so the trust paths bind together? >> >> fetch one DNS record +sigs, check against the TA (which has to be a >> given) and then.. > > Currently in the zone digest draft DNSSEC is not mandatory. That is, the zone > needn't necessarily be signed and a receiver need not perform the validation > if > they don't want to. > > Even without DNSSEC the digest gives you a little protection from accidental > corruption. But not from malicious interference of course. > > It seems kind of silly to me to double up on public key cryptosystems. We > already have keys attached to zones and software that generates and validates > signatures. > > DW > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
