On Tue, Sep 08, 2009 at 11:23:16AM -0700, David Conrad <d...@virtualized.org> wrote a message of 21 lines which said:
> So, in order to roll a key, you have to ensure DLV registries have > replaced the keys, even when the DLV registries obtain the originals > indirectly? > > Seems a bit broken to me. You use the plural but there is today only one DLV registry in active use. Since the root is not signed, a reasonable TLD operator which signs with DNSSEC has only one point to watch before dismissing his old key. If it is too much work, then, indeed, something is broken. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop