On Wed, 16 Nov 2016, Bob Harold wrote:
This is not well thought out, but what jumps to mind is to keep a chain
of signatures in the root DNS that links from the original KSK up
through the current KSK (or at least the last 10 years). Perhaps a
different record type, so it is only sent if asked for.
Does that make any sense?
Someone told me that the information needed could be gained in replaying a
root zone packet from every 3 months since when DNSSEC was originally
developed (or at least from when whatever this proposed solution was
done).
That seems to be similar to what you're thinking of here. Can we get a
solution that does that, that isn't a DDOS amplification vector or
something else hugely problematic?
--
Mikael Abrahamsson email: swm...@swm.pp.se
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
