[Opendnssec-user] Why do we need standby keys?

Ondřej Surý ondrej at sury.org
Fri Jul 9 07:07:32 UTC 2010

> Why do you need to add the DNSKEY of the previous KSK to the unsigned
> zone? If someone has the old DNSKEY RRSIG cached, he/she also has the
> old DNSKEYs cached and is able to validate the DNSKEY RRset.

Nope. RRSIG and DNSKEY RRSets have often different TTLs and even if
they were same they will almost never be cached at the same time.

Ondřej Surý <ondrej at sury.org>

More information about the Opendnssec-user mailing list