KSK rollover, set revoke bit unconditionally ? (cfr RFC5011)
Marc Lampo
marc_lampo at hotmail.com
Fri Nov 5 09:44:25 UTC 2010
Hello,
in RFC5011, section 6.6, "Trust Point Deletion" (== KSK rollover),
there is an unconditional statement to set the REVOKE bit on the "old" KSK, once the parent zone publishes the DS record of the new KSK.
I / we at EURId / are interested to learn if this unconditional setting of the revocation bit is generally considered as best practice ?
This, in my opinion, adds more complexity for the administrator of DNSSEC zones.
Isn't it enough to use the revoke bit only in case of an actual/suspected compromise ?
Your comments are welcome !
Kind regards,
Marc Lampo
--- Security Officer for EURid --- http://www.linkedin.com/pub/dir/Marc/Lampo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101105/63d3fe25/attachment.html>
More information about the bind-users
mailing list