In message <8c733a95-e0d1-4863-bb9c-a25488aa5...@fugue.com>, Ted Lemon writes: > On Mar 4, 2014, at 10:39 AM, Michael Richardson <mcr+i...@sandelman.ca> wrote > : > > For a forward zone that I owned, I would push a new DS record upwards. > > The likely reason for a new CPE is that the blue smoke got out of the old > > one. If the models were compatible, and I had a backup of the config, > > then perhaps the private key would move, but that seems doubtful for most > > users. > > How are you going to push DS records upwards if you have lost your key?
If you have example.com then you are not zero conf and you add you tsig key to the cpe. If you are using a ISP assigned name then you re-establish credentials as part of the DHCP exchange with the ISP. Updating DS does not and should not require working DNSSEC to do however this is a arguement for Friday and DNSOP. > > 3) the perpass/National-Security-Letter situation. > > If the key by default resides at the ISP, then it is the ISP that gets > > served when some agency thinks it wants to divert traffic by changing DNS > , > > and once served, the net may may be much larger than desired. > > By putting the key in the CPE, the legal papers will have to specify that > > device. It may still be the ISP legal department that responds, but the > > chance of screwing up is larger. > > This is probably the best argument I've heard against putting the keys on the > ISP's server. However, you still have to make it work. > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
