<clueless *and* top-posting> Okay, could you describe a situation where a KSK rollover does *not* require replacement of trust anchors? I must be missing something...
</clueless *and* top-posting> --Rip > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Olaf M. Kolkman > Sent: Monday, June 13, 2005 10:08 AM > To: [email protected] > Subject: [dnsop] DOP #13: KSK/ZSK differences nit > > > > > > Also see thread starting at: > http://darkwing.uoregon.edu/~llynch/dnsop/msg03465.html > > > Ed was the last to repond: > > > >> > > >> #4.2.3 Difference Between ZSK and KSK Rollovers > > >> # > > >> # Note that KSK rollovers and ZSK rollovers are > different. A zone-key > > >> # rollover can be handled in two different ways: > pre-publish (Section > > >> # Section 4.2.1.1) and double signature (Section > Section 4.2.1.2). > > >> > > >> They really aren't that different - it's just the > interaction with the > > >> parent and waiting on the parent that is different. To > a KSK, the "entire" > > >> zone is the DNSKEY set, as opposed to all sets for the ZSK. > > > > > >Suggestion > > > > > > Note that KSK rollovers and ZSK rollovers are slightly > different. > > > ^^^^^^^^ > > > > Maybe that's over simplifying it. > > > > Note that a KSK rollover and a ZSK rollover are similar but > differ in > > one fundamental aspect. KSK rollovers involve requesting action by > > the parent and the ensuing delay in waiting for it. Other > than that, > > both can be achieved by pre-publishing the new key or by > using double > > signatures during the rollover. > > Another try for draft text: > > Note that KSK rollovers and ZSK rollovers are different in the sense > that a KSK rollover requires interaction with the parent > (and possibly > replacing of trust anchors) and the ensuing delay waiting for it. > > > > --Olaf > > ---------------------------------| Olaf M. Kolkman > ---------------------------------| RIPE NCC > ---------------------------------| JID: olaf at jabber.secret-wg.org > . > dnsop resources:_____________________________________________________ > web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html > mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html > . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
