[dns-operations] DS-side NSEC query

Paul Wouters paul at nohats.ca
Mon Aug 1 16:18:53 UTC 2016

On Sun, 31 Jul 2016, Mark Andrews wrote:

>> freeswan stopped using KEY a decade ago when the DNS people said
>> these records were for DNSSEC only and not for a PKI. Whoever still
>> uses KEY for anything would be wrong. I thought the introduction
>> of DNSKEY/RRSIG/NSEC killed the KEY/SIG/NXT records.
> KEY has *never* been DNSSEC only.  DNSKEY is DNSSEC only.  KEY is
> still used for SIG(0).  DNSKEY/RRSIG/NSEC took over zone signing.
> Every other use of KEY/SIG/NXT however remained.

I should have said "DNS only" instead od "DNSSEC only".

The IETF disallowed putting IPsec related keys in the KEY RRtype.


More information about the dns-operations mailing list