AW: [dns-operations] TLD .law - non-signing KSK with referenced DS

Alexander Mayrhofer alexander.mayrhofer at nic.at
Mon Jan 17 13:25:03 UTC 2022


Matthew,


> Given that having a standby key is a standard (and probably good!) practice,
> should Zonemaster perhaps classify this as less of a problem, maybe as a
> "warning"?
> 
> Obviously there needs to be at least one KSK signing the DNSKEYs...

[AM] Good point. I'll talk to the zonemaster team, and find out whether we can change that reporting aspect. I'm not sure zonemaster is capable of doing more complicated / inter-dependend levels (such as "ERROR", unless there's other DS chains that validate, then "WARNING")..

Best,
Alex





More information about the dns-operations mailing list