[dns-operations] [Dnssec-deployment] [ENUM-NL] DNSSEC trust-anchor notice for 1.3.e164.arpa.

Doug Barton dougb at dougbarton.us
Sat Jan 8 02:39:19 UTC 2011

On 01/07/2011 03:23, Marco Davids (SIDN) wrote:

> Since we anticipate that only very few people have actually configured
> the present trust-anchor (if any), we will *not* perform a full-blown
> key roll-over. Instead we will simply remove the old key and introduce a
> new one.

With all due respect, I think this is the wrong approach. :)  If your 
assessment is correct and very few people have the key configured IMO 
now is the perfect time to practice doing a proper rollover.

> The new trust-anchor will not be published in an authenticated manner
> outside DNS (for example on an SSL-protected web page as before),
> because it will have it's DS record in the parent.

Assuming that there is a trust path all the way from this zone to the 
root, that's not only Ok, (once again IMO) that's preferable.



	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

More information about the dns-operations mailing list