[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Michael StJohns msj at nthpermutation.com
Sun Sep 21 18:38:23 UTC 2014

On 9/21/2014 2:27 PM, David Conrad wrote:
> On Sep 21, 2014, at 11:15 AM, Tomofumi Okubo <tomofumi.okubo at gmail.com> wrote:
>> More than 1 standby key sounds even better!
> How would this impact the size of responses?
> Regards,
> -drc
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

There's some (explicitly designed) weirdness in 5011 related to this.  
Basically, once a key is added to the trust anchor set, it remains there 
until revoked.  Absence of the key in the DNSKEY RRSet does not affect 
its inclusion in the TA set.  So you could add a deep stand by key 
leaving it in the DNSKEY RRSet for about 60 days (to ensure its addition 
as a trust anchor).  Then excluding it from further RRSet publications 
until actually needed.  The specific 5011 state is "missing".


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20140921/b30cf97e/attachment.html>

More information about the ksk-rollover mailing list