Thanks Warren.
On Fri, Aug 4, 2017 at 4:11 PM, Warren Kumari <war...@kumari.net> wrote:
> On Thu, Aug 3, 2017 at 6:11 PM, Aanchal Malhotra <aanch...@bu.edu> wrote:
> >
> >
> > On Thu, Aug 3, 2017 at 11:49 PM, Michael StJohns <m...@nthpermutation.com
le are weighing in on the root and stand by keys.
>
> Mike
>
However, my question (not just for Mike.)
"If we have a solution to this (subject of this thread) problem without a
back-up key set? And do we even care about it?" still remains.
Thx.
>
>
>
>
> On 8/3/
Hi Mike,
On Thu, Aug 3, 2017 at 10:47 PM, Michael StJohns <m...@nthpermutation.com>
wrote:
> On 8/3/2017 3:01 PM, Aanchal Malhotra wrote:
>
> A DNSKEY RRset with pre-published KSK is signed by the old (now
> compromised) KSK. When the resolver uses RFC 5011 for the tru
On Thu, Aug 3, 2017 at 10:06 PM, Wessels, Duane <dwess...@verisign.com>
wrote:
>
> > On Aug 3, 2017, at 12:58 PM, Aanchal Malhotra <aanch...@bu.edu> wrote:
> >
> > However, I still don't see how it would help in case of trust anchor/KSK
> compromise.
>
>
that is not the zone's trust
anchor). But I don't see anything in the RFC that says what a zone
administrator can do in such a case. Am I missing something?
Thx,
Aanchal Malhotra.
On Thu, Aug 3, 2017 at 8:55 PM, Wessels, Duane <dwess...@verisign.com>
wrote:
> Hello Aanchal,
>
> I do
t; There isn’t a single doc that focuses on KSK rollovers, but it is
> discussed in the BCP docs like RFC 6781 and other implementation-specific
> documents.
>
> Scott
>
> On 3 Aug 2017, at 11:50, Aanchal Malhotra wrote:
>
> Dear all,
>
> May be this has been discussed long
ue or do network
administrators care about it? And if it is, Is there any RFC or relevant
doc or mailing list that discusses this problem/solutions, etc.?
References:
[1]
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf
Thanks,
Aanchal Malhotra.
_