[ksk-change] Roll back

[Michael StJohns]

Hi -

For the purposes of this message, I'm assuming we're talking not about 
placing a removed non-revoked key back into service, but placing a 
revoked key back into service.

The way 5011 works is that there's a remove hold down time for the trust 
anchor database at a resolver.  It's there to allow the resolver to 
purge old data after its no longer valid.  Revoking a trust anchor both 
removes the key from the trust anchor set and makes it useless for 
signing things.  At the completion of the remove hold down time, say the 
resolver purges all knowledge of the trust anchor key, and then say the 
resolver sees something signed by that key.  Since the key isn't 
affirmatively a trust anchor key, a chain of trust can't be traced from 
it.  A zone owner *could* place it back into service as a trust anchor, 
but would have to go through the same process it uses to add any other 
trust anchor key.  Not a good idea, but also not really a threat surface.

Mike