[ksk-change] Testing new keys added
Jakob Schlyter
jakob at kirei.se
Fri Oct 10 06:05:50 UTC 2014
On 10 okt 2014, at 04:19, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> Assuming that a rollover uses the Double-KSK method described previously, is there an intention to test systems for the new SEP key before removing the old one? That is, if A is the current KSK and IANA adds B, after the 30-day hold-down time, either key could be used to sign zones in the root.
No, both keys needs to sign the ZSK that signs the DS records in the root zone. And that invalidates the rest of your (otherwise interesting) proposal. Sorry :-/
jakob
More information about the ksk-rollover
mailing list