On Mon, 4 Oct 2010, Jakob Schlyter wrote:
>
> RFC 5011 is not very useful if the active KSK is rendered in-operational
> ("lost")Er, yes it is. You have a pre-published standby SEP key which validators are ready to use as a trust anchor, so you can immediately promote it to being the operational KSK. You handle key compromises in exactly the same way. (This implies you ahould have diverse systems and storage for the live and backup keys.) > nor is it very useful if the algorithm used for the active KSK > is compromised. There isn't a very good solution for that since DNSSEC requires that a zone has RRSIGs for all algorithms for which it has DNSKEYs, so you can't pre-publish an inactive SEP key with a different algorithm. We just have to hope that algorithms are broken slowly, like MD5 :-) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
