Looks like someone else thought of it already: https://tools.ietf.org/html/draft-wijngaards-dnsext-trust-history-03
Thanks to Jaap for that info. Someone will probably point out that using keys for a long time increases the chances that someone can break them, But in this case I think it is worth the risk, to fix this issue. -- Bob Harold hostmaster, UMnet, ITcom Information and Technology Services (ITS) rharo...@umich.edu 734-647-6524 desk On Wed, Nov 16, 2016 at 9:42 AM, Mikael Abrahamsson <swm...@swm.pp.se> wrote: > On Wed, 16 Nov 2016, Bob Harold wrote: > > This is not well thought out, but what jumps to mind is to keep a chain of >> signatures in the root DNS that links from the original KSK up through the >> current KSK (or at least the last 10 years). Perhaps a different record >> type, so it is only sent if asked for. >> >> Does that make any sense? >> > > Someone told me that the information needed could be gained in replaying a > root zone packet from every 3 months since when DNSSEC was originally > developed (or at least from when whatever this proposed solution was done). > > That seems to be similar to what you're thinking of here. Can we get a > solution that does that, that isn't a DDOS amplification vector or > something else hugely problematic? > > > -- > Mikael Abrahamsson email: swm...@swm.pp.se >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop