To:
Olafur Gudmundsson <ogud@ogud.com>
cc:
dnssec@cafax.se
From:
Olaf Kolkman <OKolkman@ripe.net>
Date:
Tue, 12 Jun 2001 11:25:34 +0200
Delivery-Date:
Tue Jun 12 15:28:24 2001
In-reply-to:
Your message of Thu, 31 May 2001 09:33:58 EDT. <5.1.0.14.0.20010531093041.02372d20@localhost>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Fwd: I-D ACTION:draft-ietf-dnsext-delegation-signer-00.txt
Olafur Gudmundsson <ogud@ogud.com> writes: * * Just in case anyone did not see this one, here are my .02 SKR solution to * the problem of keysets at apex. * Please read and comment as I would like do figure out real soon * if this is better or worse than Sigs at parent. Hi Olafur, I have a small question: In the abstract you write: "... proposes to store a different record in the parent that specifies which one of the child's keys can sign the child's KEY set. ..." This seems a little restrictive. Can't the Child's key, as pointed to by the DK record, be used to sign the other child data as well? Why only child's KEY's ? Only in the abstract you explicitly mention this and you refer to this scheme when talking about regular key roll overs so I wonder if the 'restriction' is intentional and if so why? Can you clarify? --Olaf