[Opendnssec-develop] Deactivating old KSK
Jakob Schlyter
jakob at kirei.se
Tue Nov 3 12:06:27 UTC 2009
On 3 nov 2009, at 11.22, Stephen.Morris at nominet.org.uk wrote:
> The draft actually suggests the "double RRset", which minimises the
> key rollover time. In this method the new KSK is added to the zone
> and the associated DS record submitted to the parent. After a
> suitable interval, the old DS record and KSK can be removed.
> However, that does separate the addition of the new DS record to the
> parent and the removal of the old one. The double KSK, although
> taking longer, requires only one communication with the parent when
> changing the DS record. What do people think - do the advantages of
> a single change to the parent zone outweigh the disadvantages of a
> longer rollover?
a single interaction with the parent seems easiest to me and involves
few manual steps.
jakob
More information about the Opendnssec-develop
mailing list