> I have to agree with that, except that you probably need more 9's.
Oh, I don't know about that.
Three 9's should be more than enough accuracy to describe the set of
people who've ever put a DS or DNSKEY record in their zone files ;-)
Ray
___
DNSOP
In message <20090310232216.gc3...@sirocco.local>, Matt Larson writes:
> On Wed, 11 Mar 2009, Mark Andrews wrote:
> >
> > In message <20090310213643.gn2...@dul1mcmlarson-l1.local>, Matt Larson writ
> es:
> > > Mark,
> > >
> > > On Wed, 11 Mar 2009, Mark Andrews wrote:
> > > > [...] it is impossib
On Wed, 11 Mar 2009, Mark Andrews wrote:
>
> In message <20090310213643.gn2...@dul1mcmlarson-l1.local>, Matt Larson writes:
> > Mark,
> >
> > On Wed, 11 Mar 2009, Mark Andrews wrote:
> > > [...] it is impossible to convert a DS to a DNSKEY prior to the
> > > publication of the DNSKEY in the DNS.
In message <20090310213643.gn2...@dul1mcmlarson-l1.local>, Matt Larson writes:
> Mark,
>
> On Wed, 11 Mar 2009, Mark Andrews wrote:
> > [...] it is impossible to convert a DS to a DNSKEY prior to the
> > publication of the DNSKEY in the DNS.
>
> Why would a validator ever need to do this?
On Mar 10 2009, Mark Andrews wrote:
Has anyone on this list ever typed in a DNSKEY or DS as a
trust anchor? I would presume that most (99.%) people
would just cut-and-paste or the equivalent. I call "ease
of typing" a unjustifiable justification as no one will be
doing it even for DS recor
Mark,
On Wed, 11 Mar 2009, Mark Andrews wrote:
> [...] it is impossible to convert a DS to a DNSKEY prior to the
> publication of the DNSKEY in the DNS.
Why would a validator ever need to do this?
Matt
___
DNSOP mailing list
DNSOP@ietf.org
https://www.
In message , Edward Lewis writes:
> At 8:35 +1100 3/10/09, Mark Andrews wrote:
>
> > This make DNSKEY a better manditory record to publish.
>
> While there's little empirical data on trust anchors to date, my
> inclination is to whole-heartedly disagree with this statement. So
> long as t
At 8:35 +1100 3/10/09, Mark Andrews wrote:
This make DNSKEY a better manditory record to publish.
While there's little empirical data on trust anchors to date, my
inclination is to whole-heartedly disagree with this statement. So
long as the DS record points to a unique DNSKEY recor
At 00:43 10/03/2009, Mark Andrews wrote:
In message <20090310041254.gb4...@vacation.karoshi.com.>,
bmann...@vacation.kar
oshi.com writes:
> On Tue, Mar 10, 2009 at 12:55:51PM +1100, Mark Andrews wrote:
> >
> > In message ,
David Black
> a wr
> > ites:
> > >
> > > On Mar 9, 2009, at 5:35 PM, M
At 17:35 09/03/2009, Mark Andrews wrote:
On a related issue DS -> DNSKEY translations cannot be
performed until the DNSKEY is published in the zone. The
use of DS prevents pre-publishing of keys.
Once the key is generated a DS of it can be generated.
Our draft does no
In message <20090310041254.gb4...@vacation.karoshi.com.>, bmann...@vacation.kar
oshi.com writes:
> On Tue, Mar 10, 2009 at 12:55:51PM +1100, Mark Andrews wrote:
> >
> > In message , David Black
> a wr
> > ites:
> > >
> > > On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote:
> > > >
> > > > O
In message <20090310041105.ga4...@vacation.karoshi.com.>, bmann...@vacation.kar
oshi.com writes:
> On Tue, Mar 10, 2009 at 08:35:40AM +1100, Mark Andrews wrote:
> >
> > In message <200903091515.n29ffetp055...@stora.ogud.com>, Olafur Gudmundsson
> wri
> > tes:
> > > --===0733757033==
On Tue, Mar 10, 2009 at 12:55:51PM +1100, Mark Andrews wrote:
>
> In message , David Blacka
> wr
> ites:
> >
> > On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote:
> > >
> > > On a related issue DS -> DNSKEY translations cannot be
> > > performed until the DNSKEY is published in the zone. The
On Tue, Mar 10, 2009 at 08:35:40AM +1100, Mark Andrews wrote:
>
> In message <200903091515.n29ffetp055...@stora.ogud.com>, Olafur Gudmundsson
> wri
> tes:
> > --===0733757033==
> > Content-Type: multipart/alternative;
> > boundary="=_777355448==.ALT"
> >
> > -
In message , David Blacka wr
ites:
>
> On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote:
> >
> > On a related issue DS -> DNSKEY translations cannot be
> > performed until the DNSKEY is published in the zone. The
> > use of DS prevents pre-publishing of keys.
>
> Huh? You can generat
On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote:
On a related issue DS -> DNSKEY translations cannot be
performed until the DNSKEY is published in the zone. The
use of DS prevents pre-publishing of keys.
Huh? You can generate a DS from the DNSKEY record that you have
In message <200903091515.n29ffetp055...@stora.ogud.com>, Olafur Gudmundsson wri
tes:
> --===0733757033==
> Content-Type: multipart/alternative;
> boundary="=_777355448==.ALT"
>
> --=_777355448==.ALT
> Content-Type: text/plain; charset="us-
At 13:46 06/08/2008, Paul Hoffman wrote:
Greetings again. The end of section 2 of this document says:
Another advantage of configuring a trust anchor using a DS record is
that the entire hash of the public key in the DS RDATA need not
necessarily be specified. A validating resolver MAY
Greetings again. The end of section 2 of this document says:
Another advantage of configuring a trust anchor using a DS record is
that the entire hash of the public key in the DS RDATA need not
necessarily be specified. A validating resolver MAY support
configuration using a truncated
19 matches
Mail list logo
