> On Jul 25, 2018, at 10:09 AM, Paul Wouters <p...@nohats.ca> wrote: > > If you do want all of that protected, which I don't think there are > strong reasons for, why not place an OPENPGPKEY record in the zone and > use pgp to sign it? No new custom software needed, and equally > annoying validing the OPENPGPKEY as the ZONEMD data.
What new custom software are you thinking of? One of my expectations is that ZONEMD would be implemented in name server software. That software already includes code to calculate hashes and verify DNSSEC signatures. AFAIK no name server software knows how to verify pgp signatures. (Admittedly perhaps missing from some current name server software is code for canonical sorting.) DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop