On Fri, Feb 12, 2010 at 02:28:41PM +0100, Olaf Kolkman wrote: > > > In the particular case described in the columnm, RFC5011 methodology might not have worked; an old OS distribution carrying a stale key that is several generations old cannot be tracked using RFC5011 techniques. Wijngaards and Kolkman have been working on a proposal to fix that particular issue: "DNSSEC Trust Anchor History Service" (http://tools.ietf.org/html/draft-wijngaards-dnsop-trust-history). > glad to see that work going forward. Manning and Yamaguchi are working on a similar set of techniques to deal with the unscheduled key rollover issue based in part on an expired draft that was an alternative to what became RFC 5011. i suspect that work is complimentary to either RFC 5011 or the -history draft. --bill > -- Olaf Kolkman > NLnet Labs