-----Original Message----- From: Patrik Fältström [mailto:paf@cisco.com] Subject: Re: [dns-wg] DNSSEC - DS RR provisioning
* PGP Signed by an unknown key
On 6 okt 2009, at 12.30, Antoin Verschuren wrote:
So I would like the update to use the DNS protocol, and I would accept updates directly from the child zone if it has a secure delegation. I would accept DS, NS and glue updates.
Can you expand on this? Using SIG(0) where the public key is signed and in the child zone (for example)?
When there is an existing chain of trust between the parent and child zone, that chain can be used to authenticate changes in the child zone to the parent. So the child signals the parent to query the child zone for changes to the DNSKEY, NS or glue records. Since these records are signed, and the parent can trust the signed content in the child zone, it can update the parent zone with any record that needs to be in there. Syncing the content in the child zone with the content in the parent zone. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren@sidn.nl xmpp:antoin@jabber.sidn.nl http://www.sidn.nl/