[ksk-change] Keeping two KSK keys long term

Paul Hoffman paul.hoffman at vpnc.org
Wed Oct 1 19:45:13 UTC 2014

Greetings again. It is my impression that having two (or more) KSK keys long term makes 5011 rollovers a bit less problematic, but I could be misunderstanding some of the subtleties of 5011 when mixed with draft-ietf-dnsop-dnssec-key-timing. If it is better, I would propose that the timing of the KSK change be "add second and third key, wait a bit, remove current (first) key" over "add a second key, wait a bit, remove the current (first) key, wait a bit, add a new key (so we have two)".


--Paul Hoffman

More information about the ksk-rollover mailing list