[dns-operations] DS-side NSEC query
Paul Wouters
paul at nohats.ca
Mon Aug 1 16:18:53 UTC 2016
On Sun, 31 Jul 2016, Mark Andrews wrote:
>> freeswan stopped using KEY a decade ago when the DNS people said
>> these records were for DNSSEC only and not for a PKI. Whoever still
>> uses KEY for anything would be wrong. I thought the introduction
>> of DNSKEY/RRSIG/NSEC killed the KEY/SIG/NXT records.
>
> KEY has *never* been DNSSEC only. DNSKEY is DNSSEC only. KEY is
> still used for SIG(0). DNSKEY/RRSIG/NSEC took over zone signing.
> Every other use of KEY/SIG/NXT however remained.
I should have said "DNS only" instead od "DNSSEC only".
The IETF disallowed putting IPsec related keys in the KEY RRtype.
Paul
More information about the dns-operations
mailing list