Jump to first page
 -56
Parental signature
adopting orphans carefullyÉ
nParents needs to check if the child KEY is really their childŐsÉ Did you get the KEY from the source authoritative for the child zone?
nThis needs an out-of-DNS identification
nOpen operational issue:
nHow do you identify the KEY comes from an authoritative source?
uBilling information?
uPhone call?
uSecret token exchange via surface mail?
Note:
This might be one of the most difficult parts of DNSSEC. As, yet there are no documents describing/advising a procedure.


Whatever you choose to do, make sure that you document the procedure and the interactions.

This is a one-off interaction. Once the KEY is accepted it can be used as a bootstrap for future key exchanges.