On 2010-10-04, at 12:56, Tony Finch wrote: > On Mon, 4 Oct 2010, Jakob Schlyter wrote: >> >> Depending on the type of compromise, a RFC 5011 may not be appropriate. > > RFC 5011 allows for smooth operation across compromise or loss of the > active KSK, or compromise or loss of the backup KSK. Only if both of them > are simultaneously lost or compromised do things go horribly wrong.
I hear you, but there is no backup KSK in the sense that I think you mean (there is no pre-generated, hot-standby incoming KSK). Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
