On Tue, 8 Sep 2009, Edward Lewis wrote:
Hmm.
So, in order to roll a key, you have to ensure DLV registries have replaced
the keys, even when the DLV registries obtain the originals indirectly?
Seems a bit broken to me.
That's not broken, that's reality. My guidance is that we (operators) have
to take reasonable steps to prevent relying parties from suffering
consequences. When an emergency supercession is needed, a nasty choice may
need to be made.
Indeed. And TLD's should check the iTAR and DLV. Perhaps also leave the old
key a little bit longer then two weeks for people to have a little bit more
time to respond.
Putting TLD's into DLV was not ideal anyway. I understand it was easier on a
lot of people. I've always seen TLD configuration (as long as the root is not
signer) as a seperate issue from putting domains in unsigned parents into the
DLV. Hence the use of dnssec-conf to configure the TLD keys along side the
DLV usage.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
