[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Jakob Schlyter jakob at kirei.se
Sun Sep 21 19:27:52 UTC 2014

On 21 sep 2014, at 20:38, Michael StJohns <msj at nthpermutation.com> wrote:

> There's some (explicitly designed) weirdness in 5011 related to this.  Basically, once a key is added to the trust anchor set, it remains there until revoked.  Absence of the key in the DNSKEY RRSet does not affect its inclusion in the TA set.  So you could add a deep stand by key leaving it in the DNSKEY RRSet for about 60 days (to ensure its addition as a trust anchor).  Then excluding it from further RRSet publications until actually needed.  The specific 5011 state is "missing".

I've noticed this feature in the past, and I believe it is more useful and important than one might think at first.


More information about the ksk-rollover mailing list