> On Feb 13, 2018, at 9:10 AM, Bob Harold <rharo...@umich.edu> wrote:
> If an entry could be put in the root zone, that is signed only with the new 
> key, then could users query that and always get a yes/no answer to whether 
> they will be affected?  

This doesn't work because when the new key is published in the zone (and signed 
by the old key, as it must be), then the new key becomes trusted by the 
validator.  Thus, there is still a valid chain-of-trust to those records for 
those with only the old TA.  


DNSOP mailing list

Reply via email to