On Wed, 17 Mar 2010, Andrew Sullivan wrote:
I think this should be changed to
The same operational concerns apply to the rollover of KSKs that
are used as trust-anchors. But remember: if a trust anchor
replacement is done incorrectly, and there is no other trust path
to the zone or validators are configured to trust only the trust
anchor and no other path, then the entire zone that the trust
anchor covers will become bogus until the trust anchor is
corrected.
Is that true? What happens if the KSK got rolled, the DS not updated
and an old DLV entry exists? Or what if the DLV is updated but not
the DS?
I think currently, a wrong DS trumps an updated DLV, but I have not
tested this recently on either bind or unbound. Is it specified anywhere
else what the expected behaviour is?
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop