[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Olafur Gudmundsson <ogud@ogud.com>
Cc: dnssec@cafax.se, namedroppers@ops.ietf.org
From: Miek Gieben <miekg@nlnetlabs.nl>
Date: Fri, 1 Jun 2001 11:13:01 +0200
Delivery-Date: Sun Jun 3 08:00:10 2001
In-Reply-To: <5.1.0.14.0.20010531093041.02372d20@localhost>; from ogud@ogud.com on Thu, May 31, 2001 at 09:33:58AM -0400
Sender: owner-dnssec@cafax.se
Subject: Re: Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt

[On 31 May, 2001, Olafur Gudmundsson wrote in " Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt ]
> 
> Just in case anyone did not see this one, here are my .02 SKR solution to
> the problem of keysets at apex.
> Please read and comment as I would like do figure out real soon
> if this is better or worse than Sigs at parent.
> If there is no consensus on either this or Sigs at parent then sigs at
> child wins.
We at NLnet Labs see it like this:

Nobody (at least the DNSSEC people) want sig@child, because
of all the operational issues involved. That leaves us with 
2 options:
1) sig@parent
2) delegation-signer

1) solves the operational issues but introduces complications in the
resolver implementation.

2) also solves the operational issues , but doesn't introduce new
problems in a secure aware resolver.

grtz Miek



Home | Date list | Subject list