[dns-operations] Split DNS: DNSSEC outside and not inside
Edward Lewis
Ed.Lewis at neustar.biz
Wed Sep 3 03:56:15 UTC 2008
At 13:46 +1000 9/3/08, Mark Andrews wrote:
> You would have to touch the control plane to support a "null
> key" as the DS records from the parent won't match the "null
> key".
Diving way too deeply into a solution at this point (forgetting for a
moment that isn't the protocol defining mail list, this one
operations list)...no, it isn't necessary.
One could potentially have a DNSKEY set including the key that
corresponds to the DS at the parent and then another key of the same
algorithm designating that the algorithm is not used for signing the
zone.
That would be one way to avoid the control plane and keep this data driven.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Never confuse activity with progress. Activity pays more.
More information about the dns-operations
mailing list