On 13 Apr 2021, at 11:56, Eliot Lear wrote: > The opendnssec team did a phenomenal job, only to be thwarted by secondary servers and amplification attack concerns. One more thing....the OpenDNSSEC design did not really take key rollover and the need for interaction and/or integration in the registrar/registry (epp) flow of data. So actual deployment in operational environments was not trivial. Today, with better support for management of DS inbound in a signed zone, this is not as big as a problem as it was. Specifically as the need for rolling KSK is also questioned. As long as you CAN roll the KSK. Patrik
Attachment:
signature.asc
Description: OpenPGP digital signature