[Opendnssec-develop] Overlapping KSKs

Jakob Schlyter jakob at kirei.se
Thu Sep 3 09:39:27 UTC 2009

On 3 sep 2009, at 04.30, sion at nominet.org.uk wrote:

> Does this work for .se? Or, do we need some new logic to mark 2 keys  
> as
> "active"?

we need to mark 2 keys active concurrently.

> Then we have a question about rollovers. If the rollover is an  
> emergency
> one do we have to assume that all keys on that HSM are compromised?  
> Do we
> need to think about standby keys (ones on the same hsm, waiting for
> scheduled rollovers) and emergency keys (stored on a separate hsm) as
> separate entities?

in amsterdam we decided that what we currently call "emergency keys"  
should be renamed to "standby keys". the reason was that the standby  
keys are more used for standby than for actual emergency, IIRC:


More information about the Opendnssec-develop mailing list