[ksk-rollover] Stand-by KSK for algorithm rollover

Fred Baker fred at isc.org
Wed Apr 10 17:17:41 UTC 2019

> On Apr 10, 2019, at 3:31 AM, Davey Song(宋林健) <ljsong at biigroup.cn> wrote:
> I noticed that no stand-by KSK is pre-published in 2017-ksk rollover, right? I put it due to the limitation of size of DNS response. Any other concerns on stand-by KSK in real production network?

Besides the fact that publishing a secondary or future key gives a potential attacker that much longer to crack it? That is essentially the same as pre-publishing other keys, which has been discussed in some detail on this list.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190410/2552f4e8/signature.asc>

More information about the ksk-rollover mailing list