Olafur Gudmundsson <ola...@cloudflare.com> wrote: > There is much simpler way. > Just add record to the rootzone that is only signed by the new key. > If resolver returns AD bit it has the new key.
I don't think this works. If the new key is published in the root zone's DNSKEY RRset then it will be signed by the old key, so a validator will have a trust path from a stale trust anchor down to the special record (just like it does for records signed by ZSKs). If the new key is not published in the root zone, then you are assuming that the validator uses DNSKEY records for its trust anchor configuration (but some validators use DS records) and that the validator will allow any RRset to be signed by the trust anchor (but RFC 4035 section 5 suggests only using the trust anchor to validate the apex DNSKEY RRset). Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Shannon, Rockall, Malin: South 5 to 7, occasionally gale 8 at first in Rockall, decreasing 3 or 4. Moderate or rough, occasionally very rough except in Malin. Rain then fog patches. Moderate, occasionally very poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
