[dnssec-deployment] SEPs and TARs
matthijs at NLnetLabs.nl
Wed Apr 1 03:26:33 EDT 2009
Paul Hoffman wrote:
> (c) We never get here. FreeResolver was checking the freshness every day and understands RFC 5011. When it saw K2, it loaded it permanently as an SEP.
To clarify, RFC 5011 does not prevent SERVFAILing a zone that does not
properly roll over their keys. If it saw K2 and K1 was already retired
from the zone, K2 is not loaded permanently as a trust anchor.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 544 bytes
Desc: OpenPGP digital signature
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20090401/45e6b570/attachment.bin
More information about the Dnssec-deployment