On Fri, 2022-07-29 at 13:50 +0000, Paul Hoffman wrote: > On Jul 29, 2022, at 8:58 AM, Peter van Dijk <[email protected]> > wrote: > > The mention of 5011 talks about the root, but 5011 does not mention the > > root at all. 5011 is not limited to the root. > > It is limited to "trust anchors", and essentially all DNSSEC trust anchors > are for the DNS root. Still, the wording can be improved.
On the Internet, this is true, and I think it would be unwise (and unnecessary) to use 5011 for anything. But I've been told 5011 sees non- root usage inside some private networks. > Current: > - [RFC5011] explains how recursive resolvers and the DNS root can work > together to automate > the rollover of the root's key signing key (KSK). > > Proposed: > - [RFC5011] describes a method to help resolvers update their DNSSEC trust > anchors in an > automated fashion. This method was used in 2018 to update the DNS root trust > anchor. Wonderful. > Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
