Re: [DNSOP] how to delete obsolete DS for obsolete DNSKEY using CDS/CDNSKEY

Joe Abley <jabley@hopcount.ca> Fri, 07 February 2014 19:12 UTC

Content-Type: multipart/signed; boundary="Apple-Mail=_2B294060-FF31-4390-8760-DDF4497B9D81"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <52F52386.4070305@dougbarton.us>
Date: Fri, 07 Feb 2014 14:12:00 -0500
Message-Id: <0D3FD7ED-0A92-4B8E-9619-2B7D84013DD6@hopcount.ca>
References: <CAJE_bqe95pn8rHvK3UffPDn+_rGYiq2G5sfdgqisH4JG7gFjBA@mail.gmail.com> <CAHw9_i+Jt4Ok+CddheGT_nA=e4srgbUSQy98GeQ9qGn_Cncjag@mail.gmail.com> <52F52215.9090709@dougbarton.us> <CAHw9_i+Aanz5NZVO5Q_x=1zyFzHZSmeU6yoLx3cDkwD2sC-XMA@mail.gmail.com> <52F52386.4070305@dougbarton.us>
To: Doug Barton <dougb@dougbarton.us>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] how to delete obsolete DS for obsolete DNSKEY using CDS/CDNSKEY
Precedence: list

On 2014-02-07, at 13:18, Doug Barton <dougb@dougbarton.us> wrote:

> On 02/07/2014 10:14 AM, Warren Kumari wrote:
> 
>> We are not allowing zones to go from unsigned to signed:
> 
> Right, and because it says not to do it in the RFC no one is going to do it? :)

I don't see how it would work. The parental agent has no automated way to trust the C* RRSets published in a zone with no secure delegation from its parent.

Joe

Attachment: signature.asc

[DNSOP] how to delete obsolete DS for obsolete DN… 神明達哉
Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
Re: [DNSOP] how to delete obsolete DS for obsolet… Tony Finch
Re: [DNSOP] how to delete obsolete DS for obsolet… 神明達哉
Re: [DNSOP] how to delete obsolete DS for obsolet… Doug Barton
Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
Re: [DNSOP] how to delete obsolete DS for obsolet… Doug Barton
Re: [DNSOP] how to delete obsolete DS for obsolet… Olafur Gudmundsson
[DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Mukund Sivaraman
Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
Re: [DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Joe Abley
Re: [DNSOP] how to delete obsolete DS for obsolet… Joe Abley
Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
Re: [DNSOP] how to delete obsolete DS for obsolet… Joe Abley
Re: [DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Paul Wouters
Re: [DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Olafur Gudmundsson
Re: [DNSOP] how to delete obsolete DS for obsolet… JINMEI Tatuya / 神明達哉
Re: [DNSOP] how to delete obsolete DS for obsolet… JINMEI Tatuya / 神明達哉

Re: [DNSOP] how to delete obsolete DS for obsolete DNSKEY using CDS/CDNSKEY

Attachment: signature.asc