[ksk-change] Testing new keys added

Peter Koch pk at denic.de
Fri Oct 10 07:03:06 UTC 2014

On Fri, Oct 10, 2014 at 08:05:50AM +0200, Jakob Schlyter wrote:

> No, both keys needs to sign the ZSK that signs the DS records in the root zone. And that invalidates the rest of your (otherwise interesting) proposal. Sorry :-/

the "-v" is that since the old KSK (at least) needs to sign the ZSK and thus the
DNSKEY RRSet, the new KSK will always be signed by the old one and therefore
its SEP properties cannot be tested?


More information about the ksk-rollover mailing list