On 02/13/2018 06:10 PM, Bob Harold wrote: > [...] If an entry could be put in the root zone, that is signed only > with the new key, then could users query that and always get a yes/no > answer to whether they will be affected?
I don't think that's possible. This is about the _single_ root DNSKEY RRset - switching which key signs the set (tags 19036 and 20326). Resolvers will either successfully validate this RRset or not, and consequently they either can validate all other signatures in the root zone or they can't trust anything in the whole DNS tree. --Vladimir _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop