[dnssec-deployment] Signatures on the DNSKEY
Mark Andrews
marka at isc.org
Thu Oct 1 18:45:53 EDT 2009
In message <list-18080154 at execdsl.com>, Edward Lewis writes:
> Nothing bars the extraneous signature (it's not barred currently) and
> I do not propose barring it. I would though prefer that we write
> software that does not add it "by default." (An implementation
> should by default avoid the extraneous signature but allow the
> administrator to have it issued on demand.) It's up to the
> implementation to figure out how to do this.
No. A implement should default to working in all cases. named
will get flags added to turn off the signing with the DNSKEY RRset
with a ZSK when there is a KSK signature. The default will remain
to sign with the ZSK.
A key manager that follow the parent's DS may choose to minimise
the RRSIG set.
One could always follow up with the sites that advertise EDNS at 4096
then fallback to smaller sizes and point out to them that they have
middleware that is blocking the initial response. Your is a position
to see such sites.
Mark
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis
> NeuStar You can leave a voice message at +1-571-434-5468
>
> As with IPv6, the problem with the deployment of frictionless surfaces is
> that they're not getting traction.
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnss
> ec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment
mailing list