On Nov 8, 2010, at 11:41 PM, Jelte Jansen wrote:
On 11/09/2010 02:33 AM, Roy Arends wrote:
4.2.1 KSK Compromise (2nd paragraph)
A compromised KSK used by an attacker can also sign data in the zone other
than the key set. An attacker does not need to follow the definitions of
KSK vs ZSK.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Rickard,
On 11/09/2010 10:40 AM, Rickard Bellgrim wrote:
I also think that it should be possible to send in a DS RR for which
there is no DNSKEY in the child zone. I know that there are
registries that disallow this and others allow this. The
Thanks for the very detailed review!
Due to family circumstances I cannot be at the dnsop meeting and I will not
have time to review all the points you made before thursday.
However, since you highlighted this point in the hallway, I would like to ask
the working group for guidance.
4.1