[ksk-rollover] (Un)planning future KSK replacements
StJohns, Michael
msj at nthpermutation.com
Fri Mar 29 13:43:06 UTC 2019
Won’t be useful for 5011 resolvers. They’re looking for a specific
pattern of data publishing of dnskey and rrsigs. Publishing a cdnskey
wouldn’t result in any new trust anchor being installed.
Mike
On Fri, Mar 29, 2019 at 13:44 Ray Bellis <ray at isc.org> wrote:
>
>
> On 29/03/2019 13:26, StJohns, Michael wrote:
> > *grumble* It’s not 5011s fault if the root zone does not currently
> > include standby keys.
>
> No slight at you intended, Mike :)
>
> > Fortunately, that may be a shorter term issue. Mike
>
> If standby keys become a thing, would it perhaps be useful if keys were
> pre-published as CDNSKEY / CDS records in the root so that they can be
> distributed without causing additional computational load on validators
> or bloating of the DNSKEY RR set?
>
> Ray
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190329/458ff1cc/attachment.html>
More information about the ksk-rollover
mailing list