[ksk-change] Keeping two KSK keys long term

Jakob Schlyter jakob at kirei.se
Wed Oct 1 20:20:20 UTC 2014

On 1 okt 2014, at 21:45, Paul Hoffman <paul.hoffman at vpnc.org> wrote:

> It is my impression that having two (or more) KSK keys long term makes 5011 rollovers a bit less problematic, but I could be misunderstanding some of the subtleties of 5011 when mixed with draft-ietf-dnsop-dnssec-key-timing.

Have two keys, and replacing one with another will keep the response sizes about the same over time (given that the key algorithm and size are the same), but other than that I haven't heard this.

Perhaps Mike can clarify?


More information about the ksk-rollover mailing list