[ksk-change] Keeping two KSK keys long term
Paul Hoffman
paul.hoffman at vpnc.org
Wed Oct 1 19:45:13 UTC 2014
Greetings again. It is my impression that having two (or more) KSK keys long term makes 5011 rollovers a bit less problematic, but I could be misunderstanding some of the subtleties of 5011 when mixed with draft-ietf-dnsop-dnssec-key-timing. If it is better, I would propose that the timing of the KSK change be "add second and third key, wait a bit, remove current (first) key" over "add a second key, wait a bit, remove the current (first) key, wait a bit, add a new key (so we have two)".
Thoughts?
--Paul Hoffman
More information about the ksk-rollover
mailing list