[ksk-change] Testing new keys added

Richard Lamb richard.lamb at icann.org
Fri Oct 10 19:08:03 UTC 2014

Jakob's right.  If I understand question correctly, you always need two KSK
RRSIGs to be able to simultaneously validate with either TA.  I learned that
when I was testing ksrsigner.c for key rolls. -Rick

-----Original Message-----
From: ksk-rollover-bounces at icann.org [mailto:ksk-rollover-bounces at icann.org]
On Behalf Of Jakob Schlyter
Sent: Thursday, October 09, 2014 11:06 PM
To: Paul Hoffman
Cc: ksk-rollover at icann.org
Subject: Re: [ksk-change] Testing new keys added

On 10 okt 2014, at 04:19, Paul Hoffman <paul.hoffman at vpnc.org> wrote:

> Assuming that a rollover uses the Double-KSK method described previously,
is there an intention to test systems for the new SEP key before removing
the old one? That is, if A is the current KSK and IANA adds B, after the
30-day hold-down time, either key could be used to sign zones in the root.

No, both keys needs to sign the ZSK that signs the DS records in the root
zone. And that invalidates the rest of your (otherwise interesting)
proposal. Sorry :-/


ksk-rollover mailing list
ksk-rollover at icann.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5456 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141010/218488a5/smime.p7s>

More information about the ksk-rollover mailing list