[dns-operations] any registries require DNSKEY not DS?
Paul Vixie
paul at redbarn.org
Thu Jan 23 04:16:57 UTC 2020
On Thursday, 23 January 2020 02:51:28 UTC Warren Kumari wrote:
> ...
>
> If the parent makes the DS for me from my DNSKEY, well, then the DS
> suddently "feels" like it belongs more to the parent than the child,
> but this is starting to get into the "I no longer know why I believe
> what I believe" territory (and is internally inconsistent), so I'll
> just stop thinking about this and go shopping instead :-)
as you see, the DS RRset is authoritative in the parent, in spite of its name
being the delegation point, which is otherwise authoritative only in the
child. so, DS really is "owned by" the delegating zone, unlike, say, NS.
historians please note: we should have put the DS RRset at $child._dnssec.
$parent, so that there was no exception to the rule whereby the delegation
point belongs to the child. this was an unforced error; we were just careless.
so, example._dnssec.com rather than example.com.
--
Paul
More information about the dns-operations
mailing list