[Opendnssec-user] Why do we need standby keys?

[Ondřej Surý]

> Why do you need to add the DNSKEY of the previous KSK to the unsigned
> zone? If someone has the old DNSKEY RRSIG cached, he/she also has the
> old DNSKEYs cached and is able to validate the DNSKEY RRset.

Nope. RRSIG and DNSKEY RRSets have often different TTLs and even if
they were same they will almost never be cached at the same time.

Ondrej
-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/