On 2010-10-04, at 11:18, Tony Finch wrote: > It isn't immediately clear to me from the root KSK DPS whether you expect > RFC 5011 to work in the event of a compromise. > > [...]
We seem once again to be moving from the subject at hand to a review and discussion of the KSK DPS. I would prefer to focus on the document at hand, here. If you would like more insight into the design decisions that resulted in the current DPS, I am sure the authors of it would be happy to talk to you about it. > There seems to be a significant difference between 5011 and the root TA > operational plan. 5011 suggests there should be a backup TA key pair which > is generated and published well in advance, but not used operationally. It > just exists to be ready in case of loss or compromise of the operational > TA. The root TA has no such backup. Correct. There is no hot-standby replacement KSK for the root zone. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
