[ksk-change] Testing new keys added
Peter Koch
pk at denic.de
Fri Oct 10 07:03:06 UTC 2014
On Fri, Oct 10, 2014 at 08:05:50AM +0200, Jakob Schlyter wrote:
> No, both keys needs to sign the ZSK that signs the DS records in the root zone. And that invalidates the rest of your (otherwise interesting) proposal. Sorry :-/
the "-v" is that since the old KSK (at least) needs to sign the ZSK and thus the
DNSKEY RRSet, the new KSK will always be signed by the old one and therefore
its SEP properties cannot be tested?
-Peter
More information about the ksk-rollover
mailing list