[ksk-change] Keeping two KSK keys long term
Jakob Schlyter
jakob at kirei.se
Wed Oct 1 20:20:20 UTC 2014
On 1 okt 2014, at 21:45, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> It is my impression that having two (or more) KSK keys long term makes 5011 rollovers a bit less problematic, but I could be misunderstanding some of the subtleties of 5011 when mixed with draft-ietf-dnsop-dnssec-key-timing.
Have two keys, and replacing one with another will keep the response sizes about the same over time (given that the key algorithm and size are the same), but other than that I haven't heard this.
Perhaps Mike can clarify?
jakob
More information about the ksk-rollover
mailing list