On Wed, Nov 16, 2016 at 08:41:03AM -0500, Bob Harold wrote: > > Do you have a suggestion for a solution? > > > This is not well thought out, but what jumps to mind is to keep a chain of > signatures in the root DNS that links from the original KSK up through the > current KSK (or at least the last 10 years). Perhaps a different record > type, so it is only sent if asked for. > > Does that make any sense?
I believe that's what the TALINK RR type is for. The draft seems to have fizzled back in 2010, but I still think it's a good idea. https://tools.ietf.org/html/draft-wijngaards-dnsext-trust-history-03 -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop