[dns-operations] DNS self-updates (was: DNSSEC deployment incentives)

Tony Finch dot at dotat.at
Thu Jun 20 09:58:03 UTC 2019

Mark Andrews <marka at isc.org> wrote:
> One can also extract the public key from a CERT to produce a KEY record and
> update the KEY RRset using the existing KEY when a CERT is updated using the
> private part of old CERT or just have a seperate key pair for this.  The only
> thing a CERT gives you is trace back to a CA for the initial addition.

I don't think this is particularly easy with existing DNSSEC tools. It
would be nice to have a general-purpose thing for converting between
PEM/DER and DNSSEC key formats.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
women and men working together

More information about the dns-operations mailing list