<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 9/21/2014 2:27 PM, David Conrad
wrote:<br>
</div>
<blockquote
cite="mid:D00116F8-E584-4D6A-8499-DCAD43C28F38@icann.org"
type="cite">
<pre wrap="">On Sep 21, 2014, at 11:15 AM, Tomofumi Okubo <a class="moz-txt-link-rfc2396E" href="mailto:tomofumi.okubo@gmail.com"><tomofumi.okubo@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">More than 1 standby key sounds even better!
</pre>
</blockquote>
<pre wrap="">
How would this impact the size of responses?
Regards,
-drc
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ksk-rollover mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ksk-rollover@icann.org">ksk-rollover@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/ksk-rollover">https://mm.icann.org/mailman/listinfo/ksk-rollover</a>
</pre>
</blockquote>
<br>
There's some (explicitly designed) weirdness in 5011 related to
this. Basically, once a key is added to the trust anchor set, it
remains there until revoked. Absence of the key in the DNSKEY RRSet
does not affect its inclusion in the TA set. So you could add a
deep stand by key leaving it in the DNSKEY RRSet for about 60 days
(to ensure its addition as a trust anchor). Then excluding it from
further RRSet publications until actually needed. The specific 5011
state is "missing".<br>
<br>
Mike<br>
<br>
</body>
</html>