March 29, 2019
1:43 p.m.
Won’t be useful for 5011 resolvers. They’re looking for a specific pattern of data publishing of dnskey and rrsigs. Publishing a cdnskey wouldn’t result in any new trust anchor being installed. Mike On Fri, Mar 29, 2019 at 13:44 Ray Bellis <ray@isc.org> wrote:
On 29/03/2019 13:26, StJohns, Michael wrote:
*grumble* It’s not 5011s fault if the root zone does not currently include standby keys.
No slight at you intended, Mike :)
Fortunately, that may be a shorter term issue. Mike
If standby keys become a thing, would it perhaps be useful if keys were pre-published as CDNSKEY / CDS records in the root so that they can be distributed without causing additional computational load on validators or bloating of the DNSKEY RR set?
Ray