<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><blockquote type="cite"><div><font class="Apple-style-span" color="#000000"><br></font>the idea is if you put the KSK and the ZSK is separate repositories, you could handle a KSK loss easier if you have a longer signature validity by the KSK. in case of a KSK loss, you would increase the refresh and survive a bit longer. at least in theory.<br></div></blockquote><div><br></div><div>Yes, so you do want to have the possibility to set a higher minimum validity period for the signatures over the DNSKEY RRset.</div><div><br></div><div>But if you increase the refresh period, then this also affects the signatures from the ZSK. </div><br><blockquote type="cite"><div><br><blockquote type="cite">I my example, you can set the refresh to 15 days, but the you will always create new signatures with the ZSK.<br></blockquote><br>which is not a problem.<br></div></blockquote></div><br><div>It is, if you have a large zone. We do not want to create a complete new set of signatures every second hour.</div><div><br></div><div>If we are going to do this for this release, then we should do it correctly from the beginning. And not patch it up for the next release.</div><div><br></div><div>// Rickard</div></body></html>