<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/10/2014 2:05 AM, Jakob Schlyter
wrote:<br>
</div>
<blockquote cite="mid:98D53E7D-2F61-42C5-8B59-F24DDAEF7D8F@kirei.se"
type="cite">
<pre wrap="">On 10 okt 2014, at 04:19, Paul Hoffman <a class="moz-txt-link-rfc2396E" href="mailto:paul.hoffman@vpnc.org"><paul.hoffman@vpnc.org></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Assuming that a rollover uses the Double-KSK method described previously, is there an intention to test systems for the new SEP key before removing the old one? That is, if A is the current KSK and IANA adds B, after the 30-day hold-down time, either key could be used to sign zones in the root.
</pre>
</blockquote>
<pre wrap="">
No, both keys needs to sign the ZSK that signs the DS records in the root zone. And that invalidates the rest of your (otherwise interesting) proposal. Sorry :-/</pre>
</blockquote>
<br>
Not exactly. By convention we split ZSK and KSK duties, but that's
not actually enforced by the resolver.<br>
<br>
<br>
So <br>
<ol>
<li>A and B sign (A B Z)</li>
<li>Z signs most of the zone.</li>
<li>B signs the DS record for the test zone.</li>
</ol>
<br>
Should work. But that doesn't prove anything about B's "trust
anchor"ness because the chain can go A -> (A B Z) -> B(DS)
rather than B -> (A B Z) -> B(DS).<br>
<br>
If I'd been smarter, I would have provided a convention to query a
caching validating resolver for its trust anchors. <br>
<br>
Mike<br>
<br>
<br>
<blockquote cite="mid:98D53E7D-2F61-42C5-8B59-F24DDAEF7D8F@kirei.se"
type="cite">
<pre wrap="">
        jakob
_______________________________________________
ksk-rollover mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ksk-rollover@icann.org">ksk-rollover@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/ksk-rollover">https://mm.icann.org/mailman/listinfo/ksk-rollover</a>
</pre>
</blockquote>
<br>
</body>
</html>