[ksk-change] Testing new keys added
Paul Hoffman
paul.hoffman at vpnc.org
Mon Oct 13 05:24:25 UTC 2014
On Oct 12, 2014, at 11:49 AM, Jakob Schlyter <jakob at kirei.se> wrote:
> On 10 okt 2014, at 18:49, Michael StJohns <msj at nthpermutation.com> wrote:
>
>> Not exactly. By convention we split ZSK and KSK duties, but that's not actually enforced by the resolver.
>
> Sure, but it is enforced by the current RZ key management process. ICANN can not sign an arbitrary RRset unless several key components are modified, including the DPS and the software used for signing.
The latter part seems interesting to me. Is this written down anywhere where the rest of us can view it? There may be other things in such a document that might help this discussion.
--Paul Hoffman
More information about the ksk-rollover
mailing list