-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephane Bortzmeyer wrote:
> On Sat, Jul 26, 2008 at 01:14:08AM +0200,
> Roy Arends wrote
> a message of 28 lines which said:
>
>> When a validator has a trust anchor configured for root, it _expects_
>> signatures for root.

>
> Which means there is no way back? If we sign ".fr", and people start
> to configure the trust anchor for ".fr" in their validating resolvers,
> we can no longer revert to the original, non-signed, system, should
> problems occur?


If you use a mechanism like described in rfc5011, there is a way back.
Section 5 says:

"A trust point that has all of its trust anchors revoked is considered
deleted and is treated as if the trust point was never configured."

So you have to revoke your KSKs and give resolvers some time to update
their trust anchors.

- - Matthijs




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIi5WsIXqNzxRs6egRAmidAJ42jQ5mnJIqztMYAsAE3h ZcyiRYagCfR4W9
nK7o/eebFI1iySR+iNqAlUY=
=mjym
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: