Looks like someone else thought of it already:
https://tools.ietf.org/html/draft-wijngaards-dnsext-trust-history-03
Thanks to Jaap for that info.
Someone will probably point out that using keys for a long time increases
the chances that someone can break them, But in this case I think it is
worth the risk, to fix this issue.
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
[email protected]
734-647-6524 desk
On Wed, Nov 16, 2016 at 9:42 AM, Mikael Abrahamsson <[email protected]>
wrote:
> On Wed, 16 Nov 2016, Bob Harold wrote:
>
> This is not well thought out, but what jumps to mind is to keep a chain of
>> signatures in the root DNS that links from the original KSK up through the
>> current KSK (or at least the last 10 years). Perhaps a different record
>> type, so it is only sent if asked for.
>>
>> Does that make any sense?
>>
>
> Someone told me that the information needed could be gained in replaying a
> root zone packet from every 3 months since when DNSSEC was originally
> developed (or at least from when whatever this proposed solution was done).
>
> That seems to be similar to what you're thinking of here. Can we get a
> solution that does that, that isn't a DDOS amplification vector or
> something else hugely problematic?
>
>
> --
> Mikael Abrahamsson email: [email protected]
>
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
