KSK rollover, set revoke bit unconditionally ? (cfr RFC5011)
marc_lampo at hotmail.com
Fri Nov 5 09:44:25 UTC 2010
in RFC5011, section 6.6, "Trust Point Deletion" (== KSK rollover),
there is an unconditional statement to set the REVOKE bit on the "old" KSK, once the parent zone publishes the DS record of the new KSK.
I / we at EURId / are interested to learn if this unconditional setting of the revocation bit is generally considered as best practice ?
This, in my opinion, adds more complexity for the administrator of DNSSEC zones.
Isn't it enough to use the revoke bit only in case of an actual/suspected compromise ?
Your comments are welcome !
--- Security Officer for EURid --- http://www.linkedin.com/pub/dir/Marc/Lampo
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users