> On Feb 13, 2018, at 9:10 AM, Bob Harold <rharo...@umich.edu> wrote: > > If an entry could be put in the root zone, that is signed only with the new > key, then could users query that and always get a yes/no answer to whether > they will be affected?
This doesn't work because when the new key is published in the zone (and signed by the old key, as it must be), then the new key becomes trusted by the validator. Thus, there is still a valid chain-of-trust to those records for those with only the old TA. DW _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
