Hello, in RFC5011, section 6.6, "Trust Point Deletion" (== KSK rollover), there is an unconditional statement to set the REVOKE bit on the "old" KSK, once the parent zone publishes the DS record of the new KSK.
I / we at EURId / are interested to learn if this unconditional setting of the revocation bit is generally considered as best practice ? This, in my opinion, adds more complexity for the administrator of DNSSEC zones. Isn't it enough to use the revoke bit only in case of an actual/suspected compromise ? Your comments are welcome ! Kind regards, Marc Lampo --- Security Officer for EURid --- http://www.linkedin.com/pub/dir/Marc/Lampo
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
