KSK rollover, set revoke bit unconditionally ? (cfr RFC5011)
Tony Finch
dot at dotat.at
Fri Nov 5 12:11:50 UTC 2010
On Fri, 5 Nov 2010, Marc Lampo wrote:
>
> in RFC5011, section 6.6, "Trust Point Deletion" (== KSK rollover),
Trust point deletion isn't the same as a normal KSK rollover. It's a
special procedure to make validators remove a trust anchor while
maintaining the security status of the zone using a chain of trust to a
higher level.
More generally, you don't need to follow RFC 5011 in most cases. It only
matters if you are running a zone which you expect validators to configure
as a trust anchor. For most practical purposes the only zones this applies
to are the root and dlv.isc.org. (I don't know of any other zones that are
run according to RFC 5011.) For other zones, what matters is the chain of
trust, and specifically the DS RRset at the delegation point in their
parent zone.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
ROUGH. RAIN THEN FAIR. GOOD.
More information about the bind-users
mailing list