On 4 okt 2010, at 18.56, Tony Finch wrote:
> On Mon, 4 Oct 2010, Jakob Schlyter wrote:
>>
>> Depending on the type of compromise, a RFC 5011 may not be appropriate.
>
> RFC 5011 allows for smooth operation across compromise or loss of the
> active KSK, or compromise or loss of the backup KSK. Only if both of them
> are simultaneously lost or compromised do things go horribly wrong.
RFC 5011 is not very useful if the active KSK is rendered in-operational
("lost") nor is it very useful if the algorithm used for the active KSK is
compromised. My point is that there are more than the "the active KSK has been
stolen or brute-forced" scenario, and 5011 only helps you in some of those
cases.
I believe it would be most useful if the vendor planning on using the current
trust anchor publication scheme could explain their current ideas. They have
been bcc'd on this message, perhaps they will step forward.
jakob
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
