On Thu, Aug 21, 2008 at 09:47:38AM -0700, David Conrad wrote: ... > >If the root zone were to "strobe" between signed and unsigned, what > >minimum duration of "signed", and what > >maximum duration of "unsigned" would be likely to not cause > >operational problems for the aforementioned > >DNSSEC-configured caching, validating resolvers? > > I'm unclear how going from a signed root zone to an unsigned root zone > would work. If you've configured your root trust anchor and you get > back a response that isn't signed, wouldn't that be treated as a > validation failure?
Yes. This behavior is actually very clear, the dns tree will vanish for theses validating caching resolvers. You have the option of doing this smoothly by revoking the key (5011) but it'll not bring any value to the deployment effort as you'll need to re-anchor again. Fred _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
