Also see thread starting at:
http://darkwing.uoregon.edu/~llynch/dnsop/msg03465.html
Ed was the last to repond:
> >>
> >> #4.2.3 Difference Between ZSK and KSK Rollovers
> >> #
> >> # Note that KSK rollovers and ZSK rollovers are different. A zone-key
> >> # rollover can be handled in two different ways: pre-publish (Section
> >> # Section 4.2.1.1) and double signature (Section Section 4.2.1.2).
> >>
> >> They really aren't that different - it's just the interaction with the
> >> parent and waiting on the parent that is different. To a KSK, the
> >> "entire"
> >> zone is the DNSKEY set, as opposed to all sets for the ZSK.
> >
> >Suggestion
> >
> > Note that KSK rollovers and ZSK rollovers are slightly different.
> > ^^^^^^^^
>
> Maybe that's over simplifying it.
>
> Note that a KSK rollover and a ZSK rollover are similar but differ in
> one fundamental aspect. KSK rollovers involve requesting action by
> the parent and the ensuing delay in waiting for it. Other than that,
> both can be achieved by pre-publishing the new key or by using double
> signatures during the rollover.
Another try for draft text:
Note that KSK rollovers and ZSK rollovers are different in the sense
that a KSK rollover requires interaction with the parent (and possibly
replacing of trust anchors) and the ensuing delay waiting for it.
--Olaf
---------------------------------| Olaf M. Kolkman
---------------------------------| RIPE NCC
---------------------------------| JID: olaf at jabber.secret-wg.org
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
