[ksk-change] Testing new keys added

Jakob Schlyter jakob at kirei.se
Sun Oct 12 18:49:21 UTC 2014

On 10 okt 2014, at 18:49, Michael StJohns <msj at nthpermutation.com> wrote:

> Not exactly.  By convention we split ZSK and KSK duties, but that's not actually enforced by the resolver.

Sure, but it is enforced by the current RZ key management process. ICANN can not sign an arbitrary RRset unless several key components are modified, including the DPS and the software used for signing.


More information about the ksk-rollover mailing list