[ksk-rollover] (Un)planning future KSK replacements
Evan Hunt
each at isc.org
Fri Mar 29 13:20:34 UTC 2019
On Fri, Mar 29, 2019 at 01:44:06PM +0100, Ray Bellis wrote:
> If standby keys become a thing, would it perhaps be useful if keys were
> pre-published as CDNSKEY / CDS records in the root so that they can be
> distributed without causing additional computational load on validators
> or bloating of the DNSKEY RR set?
I like this idea a lot.
CDS seems like it's probably more doable than CDNSKEY. IIRC, the IANA
powers-that-be have been resistant in the past to pre-publishing public
keys but more open to pre-publishing hashes.
So, CDS in a typical zone would be a signal to the parent to update the DS,
and in the root zone it would be a signal to validators to update their
trust anchors. (5011 holddown timing should probably apply, though...)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the ksk-rollover
mailing list