Olafur Gudmundsson wrote: > > There is much simpler way. > Just add record to the rootzone that is only signed by the new key. > If resolver returns AD bit it has the new key. > > All that is needed is to sign a Rrset for a long time and add it at to > the rootzone and make sure no ZSK signs it. >
this. -- Paul Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop