On Tue, 30 Jun 2015, Warren Kumari wrote:
I have been planning to write a draft to address 1 by having validators send
the DS of known TA's in an edns0 option code. This info, could then be
logged by the authoritative nameservers.
Inserting it in edns0 implies (I think) that all of the queries will
contain this, which seems like a fairly big query size / efficiency
hit. I guess you could just do it every N queries, or M time, or
something. Very similar idea though...
Why? You would only add it to the question for DNSKEY of the root.
Maybe only after you determined a validation failure, so you clearly
have the wrong trust anchor.
It seems in general, having some special record signed by only the
new key seems a nicer solution, as it allows for large network
monitors (eg atlas) to use unmodified dns servers. But it will require
some kind of legal/contractual change :(
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
