[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

manning bill bmanning at isi.edu
Mon Sep 22 23:44:11 UTC 2014


i believe that was added after discussions of the authors of the alternative draft when trying to deal with 
devices built & warehoused for a period… the specific period resolved to 60 days.


/bill
PO Box 12317
Marina del Rey, CA 90295
310.322.8102

On 21September2014Sunday, at 12:27, Jakob Schlyter <jakob at kirei.se> wrote:

> On 21 sep 2014, at 20:38, Michael StJohns <msj at nthpermutation.com> wrote:
> 
>> There's some (explicitly designed) weirdness in 5011 related to this.  Basically, once a key is added to the trust anchor set, it remains there until revoked.  Absence of the key in the DNSKEY RRSet does not affect its inclusion in the TA set.  So you could add a deep stand by key leaving it in the DNSKEY RRSet for about 60 days (to ensure its addition as a trust anchor).  Then excluding it from further RRSet publications until actually needed.  The specific 5011 state is "missing".
> 
> I've noticed this feature in the past, and I believe it is more useful and important than one might think at first.
> 
> 	jakob
> 
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover



More information about the ksk-rollover mailing list