--- Begin Message ---
Hello,
> Von: dns-operations <[email protected]> Im Auftrag
> von Ondrej Surý
> Gesendet: Freitag, 14. Jänner 2022 11:35
>
> Yes, the non-signing KSK could be offline disaster recovery key. There’s
> nothing wrong about having more keys in DS than used because the change
> process for DS is more complicated than swapping the active key in the zone.
[AM] I can second what Ondrej has written. We (.at) do have an identical setup
with an (additional) emergency key that's in the root zone, but not used under
normal operational circumstances to sign the zone. The management of that
disaster recovery key is completely disjunct from our "main" key.
Best,
Alex
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
