To:
Ted.Lindgreen@tednet.nl
Cc:
Dan Massey <masseyd@isi.edu>, Jakob Schlyter <jakob@crt.se>, Scott Rose <scottr@antd.nist.gov>, Miek Gieben <miekg@nlnetlabs.nl>, dnssec@cafax.se
From:
Miek Gieben <miekg@nlnetlabs.nl>
Date:
Fri, 20 Apr 2001 10:30:56 +0200
Delivery-Date:
Fri Apr 20 14:25:31 2001
In-Reply-To:
<200104200819.KAA17982@omval.tednet.nl>; from ted@tednet.nl on Fri, Apr 20, 2001 at 10:19:29AM +0200
Sender:
owner-dnssec@cafax.se
Subject:
Re: Keys at apex problem - New PUBKEY RR?
On Fri, Apr 20, 2001 at 10:19:29AM +0200, Ted Lindgreen wrote: > >From the three alternatives I see: > > 1. Live with non-zone-KEY RRs in the apex. > 2. Separate KEY RR usage (KEY in apex is zoneKEY and zoneKEY only, > KEY RRs outside apex are for other usage), and try to enforce > this usage by SHOULD of MUST. > 3. Limit the KEY RR usage to zoneKEY only and use some other RR > for anything else. > > number 3 certainly looks the cleanest. i agree, and it can be done now with bind9 and CERT RRs, grtz Miek