[Opendnssec-develop] Deactivating old KSK

Jakob Schlyter jakob at kirei.se
Mon Nov 2 12:10:51 UTC 2009

On 2 nov 2009, at 13.03, Sion.Lloyd at nominet.org.uk wrote:

> There are 3 strategies for ksk rollover described in
> draft-morris-dnsop-dnssec-key-timing-01 (
> http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01#section-4.3 
> )

if we do anything semi-automatic, it should be double KSK - i.e. when  
the new KSK is published, we have to wait for the operator to ack  
before removing the old KSK. double DS requires the operator to upload  
the DS of a not yet publish KSK to the parent, which might be a bit  
difficult for most operators to understand.

so, I hope we do double KSK with manual confirm before removing the  
old KSK.


More information about the Opendnssec-develop mailing list