Paul Wouters пишет:
DNSSEC declares out of scope:
* the channel where DS records get added to the parent
Is that actually out of scope or just not specified yet?
Out of scope. It is the bootstrap problem. Though with RFC-5011
It is much more than bootstrap problem.
and perhaps draft-wijngaards-dnsop-trust-history-02 the above
bullet might should probably read "were initial DS records get added"
Once you have established the first DS record, you should be able
to rollover without losing the path of trust.
There are planned rollovers but also there are comprometations, NS
authority changes, etc.
All of these things are normal in production environment and should be
treated with standard procedures.
And these procedures are out of scope of DNSSEC.
dol@
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf