To:
Dan Massey <masseyd@isi.edu>, Jakob Schlyter <jakob@crt.se>
Cc:
Scott Rose <scottr@antd.nist.gov>, Miek Gieben <miekg@nlnetlabs.nl>, dnssec@cafax.se
From:
ted@tednet.nl (Ted Lindgreen)
Date:
Fri, 20 Apr 2001 10:19:29 +0200
Delivery-Date:
Fri Apr 20 14:25:29 2001
In-Reply-To:
"Dan Massey's message as of Apr 19, 22:14"
Reply-To:
Ted.Lindgreen@tednet.nl
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem - New PUBKEY RR?
[Quoting Dan Massey, on Apr 19, 22:14, in "Re: Keys at apex pro ..."] > ..... Your analysis looks spot on to me. > So I guess that is the very long way of saying I'm in favor of > separating DNS infrastructure keys from application keys. I think > either CERT only or CERT+PUBKEY would work, but I don't know which > of those two is better. Yes, I think you are right. >From the three alternatives I see: 1. Live with non-zone-KEY RRs in the apex. 2. Separate KEY RR usage (KEY in apex is zoneKEY and zoneKEY only, KEY RRs outside apex are for other usage), and try to enforce this usage by SHOULD of MUST. 3. Limit the KEY RR usage to zoneKEY only and use some other RR for anything else. number 3 certainly looks the cleanest. Regards, -- Ted.