On 02/13/2018 06:10 PM, Bob Harold wrote:
> [...] If an entry could be put in the root zone, that is signed only
> with the new key, then could users query that and always get a yes/no
> answer to whether they will be affected? 

I don't think that's possible.  This is about the _single_ root DNSKEY
RRset - switching which key signs the set (tags 19036 and 20326). 
Resolvers will either successfully validate this RRset or not, and
consequently they either can validate all other signatures in the root
zone or they can't trust anything in the whole DNS tree.


DNSOP mailing list

Reply via email to