On Tue, Mar 12, 2019 at 10:34:22AM +1100, Mark Andrews wrote: > The DNS has had that for ~2 decades now. KEY records provide that. You need a > administrator to add a KEY record. They authorise future changes by signing > them with the private part of the key record using SIG(0). This exists in products > TODAY. The same can also be done with TSIG but requires different key management. The difficult part there is key management. You can absolutely get fine-grained authz using cryptography like that. But it won't be terribly user friendly. Nico --
