[dns-operations] [Dnssec-deployment] [ENUM-NL] DNSSEC trust-anchor notice for 1.3.e164.arpa.
Doug Barton
dougb at dougbarton.us
Sat Jan 8 02:39:19 UTC 2011
On 01/07/2011 03:23, Marco Davids (SIDN) wrote:
> Since we anticipate that only very few people have actually configured
> the present trust-anchor (if any), we will *not* perform a full-blown
> key roll-over. Instead we will simply remove the old key and introduce a
> new one.
With all due respect, I think this is the wrong approach. :) If your
assessment is correct and very few people have the key configured IMO
now is the perfect time to practice doing a proper rollover.
> The new trust-anchor will not be published in an authenticated manner
> outside DNS (for example on an SSL-protected web page as before),
> because it will have it's DS record in the parent.
Assuming that there is a trust path all the way from this zone to the
root, that's not only Ok, (once again IMO) that's preferable.
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the dns-operations
mailing list