To:
ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
"D. J. Bernstein" <djb@cr.yp.to>
Date:
29 Jul 2001 13:57:07 -0000
Automatic-Legal-Notices:
Copyright 2001, D. J. Bernstein. My transmission of this message to you does not constitute a copyright waiver or any other limitation of my rights, even if you have told me otherwise.
Content-Disposition:
inline
Subject:
Re: (ngtrans) Re: NGtrans - DNSext joint meeting, call for participation
Robert Elz writes: > The data needs to be somehow carried to the key (which cannot be > exposed anywhere near any network), the signing done, and then the > data carried back again. Doing that once a month for most people > just might be tolerable - once a day and all that will ever exist are > expired signatures. How, pray tell, do you expect a large site to sign its DNS records, if it has access to its signing key only twelve times a year? This is even worse than ``wait a month for old records to go away.'' It also means ``wait a month for new records to appear.'' Do you seriously believe that administrators and users will tolerate this? ---Dan