To:
Olafur Gudmundsson <ogud@ogud.com>
Cc:
dnssec@cafax.se, namedroppers@ops.ietf.org
From:
Miek Gieben <miekg@nlnetlabs.nl>
Date:
Fri, 1 Jun 2001 11:13:01 +0200
Delivery-Date:
Sun Jun 3 08:00:10 2001
In-Reply-To:
<5.1.0.14.0.20010531093041.02372d20@localhost>; from ogud@ogud.com on Thu, May 31, 2001 at 09:33:58AM -0400
Sender:
owner-dnssec@cafax.se
Subject:
Re: Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt
[On 31 May, 2001, Olafur Gudmundsson wrote in " Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt ] > > Just in case anyone did not see this one, here are my .02 SKR solution to > the problem of keysets at apex. > Please read and comment as I would like do figure out real soon > if this is better or worse than Sigs at parent. > If there is no consensus on either this or Sigs at parent then sigs at > child wins. We at NLnet Labs see it like this: Nobody (at least the DNSSEC people) want sig@child, because of all the operational issues involved. That leaves us with 2 options: 1) sig@parent 2) delegation-signer 1) solves the operational issues but introduces complications in the resolver implementation. 2) also solves the operational issues , but doesn't introduce new problems in a secure aware resolver. grtz Miek