[Opendnssec-develop] ZSK rollovers

Jakob Schlyter jakob at kirei.se
Thu May 6 12:07:57 UTC 2010

On 6 maj 2010, at 14.07, Matthijs Mekking wrote:

> That rule implies that we always going to use double signature rollover
> for KSKs and always going to use pre-publish key rollover for ZSKs

for KSK, no - if you use a pre-publish key rollover for the KSK it works as well.
for ZSK, yes - but doing anything else for ZSK rollovers is IMHO just plain stupid.

also, doing double signature rollovers with just one combined KSK/ZSK works as well but that is just absurd.


More information about the Opendnssec-develop mailing list