[ksk-rollover] Stand-by KSK for algorithm rollover
fred at isc.org
Wed Apr 10 17:17:41 UTC 2019
> On Apr 10, 2019, at 3:31 AM, Davey Song(宋林健) <ljsong at biigroup.cn> wrote:
> I noticed that no stand-by KSK is pre-published in 2017-ksk rollover, right? I put it due to the limitation of size of DNS response. Any other concerns on stand-by KSK in real production network?
Besides the fact that publishing a secondary or future key gives a potential attacker that much longer to crack it? That is essentially the same as pre-publishing other keys, which has been discussed in some detail on this list.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: Message signed with OpenPGP
More information about the ksk-rollover