[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IPSECKEY] Comments on draft-ietf-ipseckey-rr-01.txt



,----
|    An IPSECKEY resource record SHOULD be authenticated DNSSEC resource
|    record.
`----

Light-weight resolvers may prefer TSIG instead of DNSSEC.  Should this
scenario be mentioned?  E.g., add "or protected by TSIG".

,----
|    The algorithm field does not require any IANA action, as it is
|    inherited from DNS KEY algorithm values.
`----

The SIG RR also uses the same algorithm IANA registry.  It requires a
standards action to add a new algorithm.  An alternative would be to
fork the registry.

What about wildcard examples?  E.g.:

An example of a network that has delegated authority to the node with
the identity "corpgw.example.org".

*.0.2.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 5 1
                    corpgw.example.org.
                    AQOrXJxB56Q28iOO43Va36elIFFKc/QB2orIeL94BdC5X4idFQZjSpsZ
                    Th48wKVXUE9xjwUkwR4R4/+1vjNN7KFp9fcqa2OxgjsoGqCn+3OPR8La
                    9uyvZg0OBuSTj3qkbh/2HacAUJ7vqvjQ3W8Wj6sMXtTueR8NNcdSzJh1
                    49ch3zqfiXrxxna8+8UEDQaRR9KOPiSvXb2KjnuDan6hDKOT4qTZRRRC
                    MWwnNQ9zPIMNbLBp0rNcZ+ZGFg2ckWtWh5yhv1iXYLV2vmd9DB6d4Dv8
                    cW7scc3rPmDXpYR6APqPBRHlcbenfHCt+oCkEWse8OQhMM56KODIVQq3
                    fejrfi1H )

-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.