[Dnssec-deployment] accepting DS vs DNSKEY (was: KSK bytes)

Joe Abley joe.abley at icann.org
Wed May 4 08:44:02 EDT 2011

On 2011-05-04, at 15:35, Andrew Sullivan wrote:

> I thought you might say that.  What this suggests, however, is that
> the parent is to publish data for which it is authoritative, but for
> which it is not the source. 

I think the motivation for that design choice is that DS RRSets (to be useful) need to be signed in the parent zone, and if they were non-authoritative data they would not attract signatures.

I don't think it's necessary to infer from that design decision that the operator of the parent zone must necessarily be responsible for either computing the hash or choosing a hash algorithm.

The fact that established practice (as I see it, perhaps my perspective is skewed) is to send DS RDATA to the parent zone operator rather than DNSKEY RDATA provides additional disincentive to insist otherwise.


More information about the Dnssec-deployment mailing list