On 01/07/2011 03:23, Marco Davids (SIDN) wrote:
Since we anticipate that only very few people have actually configured the present trust-anchor (if any), we will *not* perform a full-blown key roll-over. Instead we will simply remove the old key and introduce a new one.
With all due respect, I think this is the wrong approach. :) If your assessment is correct and very few people have the key configured IMO now is the perfect time to practice doing a proper rollover.
The new trust-anchor will not be published in an authenticated manner outside DNS (for example on an SSL-protected web page as before), because it will have it's DS record in the parent.
Assuming that there is a trust path all the way from this zone to the root, that's not only Ok, (once again IMO) that's preferable. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/