There is also the physical solution. Have removable storage for the key and update the key using this externally when reqired. Nano sims or micro sd card would be a good form factor for this. Pick a standard file name and you just have them sitting on the shelves in stores with the key date printed on the packaging.
Is it that hard to add a sim or sd card reader? This is the solution the cable industry uses for its crypto issues but with bigger form factor cards. Mark In message <20161116203911.ga40...@isc.org>, Evan Hunt writes: > On Wed, Nov 16, 2016 at 08:41:03AM -0500, Bob Harold wrote: > > > Do you have a suggestion for a solution? > > > > > This is not well thought out, but what jumps to mind is to keep a chain of > > signatures in the root DNS that links from the original KSK up through the > > current KSK (or at least the last 10 years). Perhaps a different record > > type, so it is only sent if asked for. > > > > Does that make any sense? > > I believe that's what the TALINK RR type is for. The draft seems to > have fizzled back in 2010, but I still think it's a good idea. > > https://tools.ietf.org/html/draft-wijngaards-dnsext-trust-history-03 > > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
