Jan. 6, 2019
10:49 p.m.
As far as I understand the situation there is one small risk factor - the revoked key will inflate the size of the response to a root zone DNSKEY query to 1449 octets (as I recall). The combination of the possibility of fragmentation and some root servers performing response truncation implies a small risk of some DNSSEC-validating resolvers being unable to retrieve the root zone DNSKEY RR and going ‘dark’. However, this seems like a pretty small risk - other zones, such as .org, use a far larger response, and if a validating resolver is going to get caught out on being unable to receive large responses then it already has problems with .org names! Geoff