AW: [dns-operations] TLD .law - non-signing KSK with referenced DS
Alexander Mayrhofer
alexander.mayrhofer at nic.at
Mon Jan 17 13:25:03 UTC 2022
Matthew,
> Given that having a standby key is a standard (and probably good!) practice,
> should Zonemaster perhaps classify this as less of a problem, maybe as a
> "warning"?
>
> Obviously there needs to be at least one KSK signing the DNSKEYs...
[AM] Good point. I'll talk to the zonemaster team, and find out whether we can change that reporting aspect. I'm not sure zonemaster is capable of doing more complicated / inter-dependend levels (such as "ERROR", unless there's other DS chains that validate, then "WARNING")..
Best,
Alex
More information about the dns-operations
mailing list