[dns-wg] DNSSEC - DS RR provisioning

> -----Original Message-----
> From: Patrik Fältström [mailto:paf at cisco.com]
> Subject: Re: [dns-wg] DNSSEC - DS RR provisioning
> 
> * PGP Signed by an unknown key
> 
> On 6 okt 2009, at 12.30, Antoin Verschuren wrote:
> 
> > So I would like the update to use the DNS protocol, and I would
> > accept updates directly from the child zone if it has a secure
> > delegation.
> > I would accept DS, NS and glue updates.
> 
> Can you expand on this? Using SIG(0) where the public key is signed
> and in the child zone (for example)?

When there is an existing chain of trust between the parent and child zone, that chain can be used to authenticate changes in the child zone to the parent.
So the child signals the parent to query the child zone for changes to the DNSKEY, NS or glue records.
Since these records are signed, and the parent can trust the signed content in the child zone, it can update the parent zone with any record that needs to be in there. Syncing the content in the child zone with the content in the parent zone.

Antoin Verschuren

Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
mailto:antoin.verschuren at sidn.nl  xmpp:antoin at jabber.sidn.nl  http://www.sidn.nl/