KSK rollover, set revoke bit unconditionally ? (cfr RFC5011)

Marc Lampo marc_lampo at hotmail.com
Fri Nov 5 09:44:25 UTC 2010


in RFC5011, section 6.6, "Trust Point Deletion" (== KSK rollover),
there is an unconditional statement to set the REVOKE bit on the "old" KSK, once the parent zone publishes the DS record of the new KSK.

I / we at EURId / are interested to learn if this unconditional setting of the revocation bit is generally considered as best practice ?
This, in my opinion, adds more complexity for the administrator of DNSSEC zones.

Isn't it enough to use the revoke bit only in case of an actual/suspected compromise ?

Your comments are welcome !

Kind regards,

Marc Lampo

--- Security Officer for EURid --- http://www.linkedin.com/pub/dir/Marc/Lampo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101105/63d3fe25/attachment.html>

More information about the bind-users mailing list