On Thu, Aug 3, 2017 at 10:06 PM, Wessels, Duane <dwess...@verisign.com> wrote:
> > > On Aug 3, 2017, at 12:58 PM, Aanchal Malhotra <aanch...@bu.edu> wrote: > > > > However, I still don't see how it would help in case of trust anchor/KSK > compromise. > > This is why I wrote "I don't know if you consider it a solution." > > Even so, I think it could be useful, depending on the nature and scale of > the zone in question. For example, if you had to perform an emergency KSK > rollover you might do something like email a group of administrators with > instructions to manually update their trust anchors. RFC 8145 would help > you know how many administrators followed through on that request. > * "If the network administrator has an out-of-band method of contacting resolver administrators that have stored the public key as a trust anchor (such as e-mail), the network administrator should send out appropriate warnings and set up a trusted means of disseminating the new trust anchor. Otherwise, the DNS administrator can do nothing except pre-publish the new KSK with ample time to give resolver administrators enough time to learn the new KSK."* Sure you are right! But my question was for the "Otherwise" situation. > > DW > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop