Sent from my iPhone
> On Nov 16, 2016, at 22:41, Bob Harold <rharo...@umich.edu> wrote:
>
>> This is not well thought out, but what jumps to mind is to keep a chain of
>> signatures in the root DNS that links from the original KSK up through the
>> current KSK (or at least the last 10 years). Perhaps a different record
>> type, so it is only sent if asked for.
>
> Does that make any sense?
The problem is that it does not protect against key compromise, either by
operational causes or by mathematical progress.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
