Firstly you can’t avoid dealing with time if you want validators to always
successfully validate answers from a signed zone as there are coaches involved
and the DNS is loosely coherent. The DNS isn’t HTTPS, you aren’t always
directly dealing with the authoritative server or a proxy like you a
Generally, CRLs work reasonably well for revoking intermediate CAs and
leaf certificates, not so well for dealing with trust anchors. CRLs
work by the parent signing the revocation (and by being able to re-issue
new certificates). Root certs/trust anchors by definition do not have
parents.
Hi all,
My question is that instead of messing with the DNSSEC key Rollover timing
and all that manual and automation tools dependencies, why not simply use a
key revocation list just like a certificate revocation list (CRL) ?
___
DNSOP mailing list
DNSOP
