[dns-operations] Split DNS: DNSSEC outside and not inside

Edward Lewis Ed.Lewis at neustar.biz
Wed Sep 3 03:56:15 UTC 2008


At 13:46 +1000 9/3/08, Mark Andrews wrote:

>	You would have to touch the control plane to support a "null
>	key" as the DS records from the parent won't match the "null
>	key".

Diving way too deeply into a solution at this point (forgetting for a 
moment that isn't the protocol defining mail list, this one 
operations list)...no, it isn't necessary.

One could potentially have a DNSKEY set including the key that 
corresponds to the DS at the parent and then another key of the same 
algorithm designating that the algorithm is not used for signing the 
zone.

That would be one way to avoid the control plane and keep this data driven.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.



More information about the dns-operations mailing list