Comment by Avamander
6 hours ago
> Or maybe an employee has compromised the new key that is going to be rotated in, while the old key is securely rooted in an HSM?
Also possible, but that'd be an active threat that has some probability of being caught.
Never replacing keys allows permanent compromise that can only be caught if someone directly observes misuse.
Though nobody monitors DNSSEC like that, nor uses it, so it's fine from that aspect I guess.
No comments yet
Contribute on Hacker News ↗