[ksk-rollover] alternatives to 5110 for automating roll-over

Matthew Pounsett matt at conundrum.com
Sat Mar 30 10:03:59 UTC 2019

On Fri, 29 Mar 2019 at 22:14, Michael StJohns <msj at nthpermutation.com>

> E.g. 2 key steady state starts with A, B gets added and is signed by A for
> a year.  Then C is added, and is signed by A (A signs the DNSKEY RRSET),
> then A is revoked and B signs the RRSet for another 6 months to a year.
> When its finally time for C to be the active key, its been signed by the
> other two keys for quite a long time.

Given the operational experience we have with large response sizes, it
seems like having three KSKs in the DNSKEY set (on top of one or more ZSKs,
depending on the current status of a ZSK roll) plus RRSIGs from two
different keys is probably not feasible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190330/3a5eb673/attachment.html>

More information about the ksk-rollover mailing list