[Opendnssec-user] Question about timings for KskDoubleSignature
Boris Gulay
boris at boressoft.ru
Sun Sep 14 14:20:55 UTC 2025
Hello. Can you please confirm that my understanding of timings and
elements in kasp.xml for KskDoubleSignature is correct:
1. New KSK is generated and added to zone.
2. Wait Signatures/MaxZoneTTL for old DNSKEY RRSet to expire.
3. Publish new DS to parent zone.
4. Wait Parent/DS/TTL for old DS from parent zone to expire.
5. Remove old KSK from zone.
Is the sequence right and complete? Did I found sources for timings
correct?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20250914/8a9e39d3/attachment.htm>
More information about the Opendnssec-user
mailing list