APPKEY: where to store application keys?

• storing non-DNS keys in a KEY RR under the same (delegated) zone name make these keys part of the same RRset as the zone signing key(s).

• then this RRset needs re-signing (presently by the parent) each time these non-DNS keys change.

• this is bad and should stop.

• but where should we put those keys instead?

Previous slide

Next slide

Back to first slide

View graphic version