On Mon, 1 Apr 2019 at 11:54, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
Matthew Pounsett <matt@conundrum.com> wrote: > Someone suggested keeping a set of DNSKEYs with a chain of RRSIGs in an > alternate zone, but that isn't scalable to multiple trust anchors unless > you've also got some way to signal the name of the alternate zone at the > apex. And then we're talking about adding a delegation to the root zone that > is not a TLD registry, which has its own set of complexities.
One thought is a set of files, copies of the root zone in AXFR or DNS presentation format. If available via TCP at a known IP address(es), then the client can replay the process and roll itself forward.
That's still seems root-zone specific, though. They're not particularly common, but there are other trust anchors out there. As was done with 5011, it seems prudent to think about how anything we design could be applied to other zones.