Firstly you can’t avoid dealing with time if you want validators to always successfully validate answers from a signed zone as there are coaches involved and the DNS is loosely coherent. The DNS isn’t HTTPS, you aren’t always directly dealing with the authoritative server or a proxy like you are with HTTPS.
Secondly we already effectively have a crl at the DNSKEY name if you set the revoke bit. Mark -- Mark Andrews > On 11 Sep 2018, at 04:56, shabbir ali <solari...@gmail.com> wrote: > > Hi all, > My question is that instead of messing with the DNSSEC key Rollover timing > and all that manual and automation tools dependencies, why not simply use a > key revocation list just like a certificate revocation list (CRL) ? > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
