April 10, 2019
10:17 a.m.
On Apr 10, 2019, at 3:31 AM, Davey Song(宋林健) <ljsong@biigroup.cn> wrote:
I noticed that no stand-by KSK is pre-published in 2017-ksk rollover, right? I put it due to the limitation of size of DNS response. Any other concerns on stand-by KSK in real production network?
Besides the fact that publishing a secondary or future key gives a potential attacker that much longer to crack it? That is essentially the same as pre-publishing other keys, which has been discussed in some detail on this list.