On Thu, 03 Jan 2008, Holger Zuleger wrote:
New key signing key (KSK) for .SE As from today, 2008-01-03 .SE publish and take into use a new KSK for signing the .SE zone file. The key published with start 2006 with key id = 17686 is unvalid since 2008-01-01 and will be removed 2008-02-01. You should have configured the key published with start Would it be possible to set the REVOKE Bit on that key, and announce it for another 30 days?
There was no time to fix this for this rollover. Next time. Oh, sure, it's clear that no one want's to add a new functionality on a
Patrik Wallstrom wrote: productive service without testing, even if it is just to set one bit. But I thought that it was a good time to bring rfc5011 in mind...
Doing so enables a rfc5011 aware validator to discard the key automatically from the list of possible trust anchor.
Which resolvers honors the revocation bit? To my knowledge, no swedish resolver operators are using such software yet. I think you are right. I guess that actually no one use it. Small question to all the dnssec operators: Please raise your hand if I'm wrong. ;-) And to the bind guys: Honors bind, used as an dnssec validator, the revoke bit?
Holger