[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: DNSEXT <namedroppers@ops.ietf.org>
Cc: Mark Kosters <markk@netsol.com>, <dnssec@cafax.se>
From: Jakob Schlyter <jakob@crt.se>
Date: Fri, 29 Jun 2001 18:39:23 +0200 (MEST)
Delivery-Date: Sat Jun 30 08:11:29 2001
In-Reply-To: <200106271101.HAA25179@ietf.org>
Sender: owner-dnssec@cafax.se
Subject: Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt

I think the opt-in flag should be moved to a separate RR, a modified
version of Ed Lewis SEC RR would probably we a good choice (although I
would perhaps like to call it ZSS for Zone Security Status instead).

the opt-in flag is a per zone flag. as there could be multiple zone keys
and if KEY would include this flag, all zone keys has to have the same
flag (for that bit). also, as the zone key are signed by the parent, the
child can not change from/to opt-in without having the parent sign the
child's key.

	jakob

--
Jakob Schlyter <jakob@crt.se>                Network Analyst
Phone:  +46 31 701 42 13, +46 70 595 07 94   Carlstedt Research & Technology




Home | Date list | Subject list