[ksk-rollover] Retention of the 2010 KSK

Tony Finch dot at dotat.at
Fri Mar 29 14:42:59 UTC 2019

Hugo Salgado-Hernández <hsalgado at nic.cl> wrote:
> Actually, I can see an use for the KSK-2010 yet. We can measure the
> "sunsetting" of this key from the resolvers by having a special
> record in somewhere signed only by KSK-2010, and by testing its
> validation status from a resolver we could know if it's revoked or
> if its still configured as a trust anchor.

That depends on some tricky assumptions about how the validator works.

* The validator's trust anchor configuration might be in DS record form,
  rather than public key form, in which case it won't be able to validate
  unless the key appears in the DNSKEY record.

* The validator might only use its trust anchor public keys for
  validating signatures on the DNSKEY RRset, and not allow the trust
  anchor to be used for validating any other records.

I think the latter is true for BIND, for example.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Trafalgar: Easterly or northeasterly 4 or 5, but 6 to gale 8 in far southeast,
becoming variable 4 later in north. Slight or moderate, but rough in
southeast. Mainly fair. Good.

More information about the ksk-rollover mailing list