Hugo Salgado-Hernández <hsalgado@nic.cl> wrote:
Actually, I can see an use for the KSK-2010 yet. We can measure the "sunsetting" of this key from the resolvers by having a special record in somewhere signed only by KSK-2010, and by testing its validation status from a resolver we could know if it's revoked or if its still configured as a trust anchor.
That depends on some tricky assumptions about how the validator works. * The validator's trust anchor configuration might be in DS record form, rather than public key form, in which case it won't be able to validate unless the key appears in the DNSKEY record. * The validator might only use its trust anchor public keys for validating signatures on the DNSKEY RRset, and not allow the trust anchor to be used for validating any other records. I think the latter is true for BIND, for example. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Trafalgar: Easterly or northeasterly 4 or 5, but 6 to gale 8 in far southeast, becoming variable 4 later in north. Slight or moderate, but rough in southeast. Mainly fair. Good.