On Fri, 5 Nov 2010, Marc Lampo wrote: > > in RFC5011, section 6.6, "Trust Point Deletion" (== KSK rollover),
Trust point deletion isn't the same as a normal KSK rollover. It's a special procedure to make validators remove a trust anchor while maintaining the security status of the zone using a chain of trust to a higher level. More generally, you don't need to follow RFC 5011 in most cases. It only matters if you are running a zone which you expect validators to configure as a trust anchor. For most practical purposes the only zones this applies to are the root and dlv.isc.org. (I don't know of any other zones that are run according to RFC 5011.) For other zones, what matters is the chain of trust, and specifically the DS RRset at the delegation point in their parent zone. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
