Sept. 21, 2014
7:27 p.m.
On 21 sep 2014, at 20:38, Michael StJohns <msj@nthpermutation.com> wrote:
There's some (explicitly designed) weirdness in 5011 related to this. Basically, once a key is added to the trust anchor set, it remains there until revoked. Absence of the key in the DNSKEY RRSet does not affect its inclusion in the TA set. So you could add a deep stand by key leaving it in the DNSKEY RRSet for about 60 days (to ensure its addition as a trust anchor). Then excluding it from further RRSet publications until actually needed. The specific 5011 state is "missing".
I've noticed this feature in the past, and I believe it is more useful and important than one might think at first. jakob