Mark Andrews wrote:
Actually you can do exactly the same thing for glue. KEY records below bottom of zone cut exactly the same way as you have A and AAAA below bottom of zone cut. The only difference is the zone listed in the UPDATE message.
The tricky part is in converting a domain name of a primary nameserver to IP addresses, when the IP addresses of the primary nameserver changes. If the primary nameserver ask DNS its IP address to send an update request to itself, it will get old addresses. What if primary.childzone.parentzone.example.com is the primary for parentzone.example.com, and childzone.parentzone.example.com? Another problem is lack of redundancy that, when the primary server is down, dynamic update is impossible.
Now is that a “complicated” policy?
My point is that configuring lengthy random string of security key is more painful than configuring addresses. Masataka Ohta