[Dnssec-deployment] .EU only publishes DS records that it can observe on the authoritative nameservers
Simon Arlott
simon at arlott.org
Wed Mar 30 14:14:34 EDT 2011
"The registry system has a dynamic validator that only updates the root
zone if the DS records submitted are confirmed to have matching DNSKEY
records on the selected nameservers."
Surely this prevents KSK rollovers where DS pre-publish is used?
Do any other registries do this?
If I were to add a second key to a signed zone, they could potentially
not have visibility of either key and then make the zone become
unsigned when they update the DS records.
--
Simon Arlott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3632 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20110330/0f1e1e3b/attachment.bin
More information about the Dnssec-deployment
mailing list