[dns-operations] DS-side NSEC query
Mark Andrews
marka at isc.org
Sat Jul 30 22:40:22 UTC 2016
In message <alpine.LRH.2.20.1607301821140.13622 at bofh.nohats.ca>, Paul Wouters w
rites:
> On Sat, 30 Jul 2016, Mark Andrews wrote:
>
> > KEY is also another type which exists authoritatively both sides
> > of a delegation as does NXT which NSEC replaced and bothe RRSIG and
> > SIG. NXT and SIG should be virtually non-existent but KEY still
> > still exists.
>
> freeswan stopped using KEY a decade ago when the DNS people said
> these records were for DNSSEC only and not for a PKI. Whoever still
> uses KEY for anything would be wrong. I thought the introduction
> of DNSKEY/RRSIG/NSEC killed the KEY/SIG/NXT records.
KEY has *never* been DNSSEC only. DNSKEY is DNSSEC only. KEY is
still used for SIG(0). DNSKEY/RRSIG/NSEC took over zone signing.
Every other use of KEY/SIG/NXT however remained.
> Paul
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list