[ksk-rollover] alternatives to 5110 for automating roll-over

Matthew Pounsett matt at conundrum.com
Thu Apr 4 23:20:31 UTC 2019

On Mon, 1 Apr 2019 at 11:54, Michael Richardson <mcr+ietf at sandelman.ca> wrote:
> Matthew Pounsett <matt at conundrum.com> wrote:
>     > Someone suggested keeping a set of DNSKEYs with a chain of RRSIGs in an
>     > alternate zone, but that isn't scalable to multiple trust anchors unless
>     > you've also got some way to signal the name of the alternate zone at the
>     > apex. And then we're talking about adding a delegation to the root zone that
>     > is not a TLD registry, which has its own set of complexities.
> One thought is a set of files, copies of the root zone in AXFR or DNS
> presentation format.  If available via TCP at a known IP address(es), then
> the client can replay the process and roll itself forward.

That's still seems root-zone specific, though.  They're not
particularly common, but there are other trust anchors out there.  As
was done with 5011, it seems prudent to think about how anything we
design could be applied to other zones.

More information about the ksk-rollover mailing list