March 30, 2019
10:03 a.m.
On Fri, 29 Mar 2019 at 22:14, Michael StJohns <msj@nthpermutation.com> wrote:
E.g. 2 key steady state starts with A, B gets added and is signed by A for a year. Then C is added, and is signed by A (A signs the DNSKEY RRSET), then A is revoked and B signs the RRSet for another 6 months to a year. When its finally time for C to be the active key, its been signed by the other two keys for quite a long time.
Given the operational experience we have with large response sizes, it seems like having three KSKs in the DNSKEY set (on top of one or more ZSKs, depending on the current status of a ZSK roll) plus RRSIGs from two different keys is probably not feasible.