23 Dec
2010
23 Dec
'10
6:37 p.m.
----- Original Message -----
From: "Matt Larson" <mlarson@verisign.com>
The new KSK will not be published in an authenticated manner outside DNS (e.g., on an SSL-protected web page). Rather, the intended mechanism for trusting the new KSK is via the signed root zone: DS records corresponding to the new KSK are already present in the root zone.
That sounds like a policy decision... and I'm not sure I think it sounds like a *good* policy decision, but since no reasons were provided, it's difficult to tell. Why was that decision taken, Matt? Cheers, -- jra