On Tue, Feb 13, 2018 at 1:49 PM, Wessels, Duane <dwess...@verisign.com> wrote:
>> On Feb 13, 2018, at 9:10 AM, Bob Harold <rharo...@umich.edu> wrote:
>> If an entry could be put in the root zone, that is signed only with the new 
>> key, then could users query that and always get a yes/no answer to whether 
>> they will be affected?
> This doesn't work because when the new key is published in the zone (and 
> signed by the old key, as it must be),

Yup - this is the critical bit -- a number of us keep going down the
"Oooh! This is easy, we just publish Im-only-signed-with-2222. in the
root, and then people who cannot resolve that know that they don't
have 2222". And then killjoys like yourself point out that DNSSEC
doesn't actually work like that.... :-)


>then the new key becomes trusted by the validator.  Thus, there is still a 
>valid chain-of-trust to those records for those with only the old TA.
> DW
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

DNSOP mailing list

Reply via email to