To:
EPP Provreg <ietf-provreg@cafax.se>
From:
Andrew Sullivan <ajs@shinkuro.com>
Date:
Tue, 26 Jan 2010 17:33:39 -0500
Content-Disposition:
inline
In-Reply-To:
<C784D53E.370DD%jgould@verisign.com>
Mail-Followup-To:
Andrew Sullivan <ajs@shinkuro.com>,EPP Provreg <ietf-provreg@cafax.se>
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mutt/1.5.18 (2008-05-17)
Subject:
Re: off-list was Re: [ietf-provreg] Revision of 4310
On Tue, Jan 26, 2010 at 05:22:06PM -0500, James Gould wrote: > Yes, we kind of got into the weeds of DNSSEC specifics. In my view, if we're making software to support DNSSEC, we need to understand how it's going to be used. For all I (or anyone else, AFAICS) knows, this proposed feature is a bad idea, because nobody will use it. We need to understand whether there's a compelling use case for communicating the status of a DNSKEY or it RRSIG across the zone cut. If not, then the feature is a bad idea & we should argue against it. If it is likely to be used, that's a different story. > I believe the request was to add a flag to the draft to allow the client to > indicate to the server that the DNSKEY is active in the child zone. That's one idea of three. See Ed's initial message. What I'm trying to see is whether, of the two actually useful ideas we've discussed, whether any of them are really useful and whether one is to be preferred to the other. For sure, the suggestions that "inactive" means "don't publish DS" is silly, for the reasons you already suggested. A -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se