On Fri, Mar 29, 2019 at 01:44:06PM +0100, Ray Bellis wrote:
If standby keys become a thing, would it perhaps be useful if keys were pre-published as CDNSKEY / CDS records in the root so that they can be distributed without causing additional computational load on validators or bloating of the DNSKEY RR set?
I like this idea a lot. CDS seems like it's probably more doable than CDNSKEY. IIRC, the IANA powers-that-be have been resistant in the past to pre-publishing public keys but more open to pre-publishing hashes. So, CDS in a typical zone would be a signal to the parent to update the DS, and in the root zone it would be a signal to validators to update their trust anchors. (5011 holddown timing should probably apply, though...) -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.