[Opendnssec-develop] Deactivating old KSK
Jakob Schlyter
jakob at kirei.se
Mon Nov 2 12:10:51 UTC 2009
On 2 nov 2009, at 13.03, Sion.Lloyd at nominet.org.uk wrote:
> There are 3 strategies for ksk rollover described in
> draft-morris-dnsop-dnssec-key-timing-01 (
> http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01#section-4.3
> )
if we do anything semi-automatic, it should be double KSK - i.e. when
the new KSK is published, we have to wait for the operator to ack
before removing the old KSK. double DS requires the operator to upload
the DS of a not yet publish KSK to the parent, which might be a bit
difficult for most operators to understand.
so, I hope we do double KSK with manual confirm before removing the
old KSK.
jakob
More information about the Opendnssec-develop
mailing list