.gov DNSSEC operational message
Jay Ashworth
jra at baylink.com
Thu Dec 23 18:37:13 UTC 2010
----- Original Message -----
> From: "Matt Larson" <mlarson at verisign.com>
> The new KSK will not be published in an authenticated manner outside
> DNS (e.g., on an SSL-protected web page). Rather, the intended
> mechanism for trusting the new KSK is via the signed root zone: DS
> records corresponding to the new KSK are already present in the root
> zone.
That sounds like a policy decision... and I'm not sure I think it sounds
like a *good* policy decision, but since no reasons were provided, it's
difficult to tell.
Why was that decision taken, Matt?
Cheers,
-- jra
More information about the NANOG
mailing list