Olafur Gudmundsson <[email protected]> wrote: > > Section 2.2 and 2.3. > > The document says that Pre-Publication is not applicable to KSK > rollover, this is wrong as new KSK can be added to the childs DNSKEY > RRset without signing the DNSKEY RRset, there is nothing in the > protocol specifcation that prevents this.
There is an important difference, though. A pre-published ZSK is immediately useful for signing without any further steps required (after waiting for cache expiry). If you pre-publish a KSK you don't get usefully closer to adding the new link in the chain of trust: you still have to go through a complete iteration of one of the KSK rollover procedures described in the draft, except instead of adding the new KSK+RRSIG you only need to add the new RRSIG. So I'm not sure what is the value of mentioning this possibility. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
