[ksk-rollover] (Un)planning future KSK replacements

StJohns, Michael msj at nthpermutation.com
Fri Mar 29 13:43:06 UTC 2019

Won’t be useful for 5011 resolvers.   They’re looking for a specific
pattern of data publishing of dnskey and rrsigs. Publishing a cdnskey
wouldn’t result in any new trust anchor  being installed.


On Fri, Mar 29, 2019 at 13:44 Ray Bellis <ray at isc.org> wrote:

> On 29/03/2019 13:26, StJohns, Michael wrote:
> > *grumble* It’s not 5011s fault if  the root zone does not currently
> > include standby keys.
> No slight at you intended, Mike :)
> > Fortunately, that may be a shorter term issue.   Mike
> If standby keys become a thing, would it perhaps be useful if keys were
> pre-published as CDNSKEY / CDS records in the root so that they can be
> distributed without causing additional computational load on validators
> or bloating of the DNSKEY RR set?
> Ray
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190329/458ff1cc/attachment.html>

More information about the ksk-rollover mailing list