On 2013-04-22, at 17:17, Wes Hardaker <wjh...@hardakers.net> wrote: > Wes Hardaker <wjh...@hardakers.net> writes: > >> For what it's worth: I'm sort of on the fence when it comes to needing >> to sign with the KSK. There are so very very few key-split owners out >> there that it's not a huge market for them, and I doubt any of them will >> want to do CDS anyway to their parent. > > FYI: I meant to mention that there is a significant number of operators > that do actually protect their keys with different levels of protection > and keep their KSKs in a "better vault".
That's interesting. Can you cite examples? The only example I know of is the root zone, which is weird and special for a variety of non-technical reasons. Last time I looked neither the BIND9 nor OpenDNSSEC toolchains supported offline-KSK operations without a lot of hackery. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
