Oct. 10, 2014
7:03 a.m.
On Fri, Oct 10, 2014 at 08:05:50AM +0200, Jakob Schlyter wrote:
No, both keys needs to sign the ZSK that signs the DS records in the root zone. And that invalidates the rest of your (otherwise interesting) proposal. Sorry :-/
the "-v" is that since the old KSK (at least) needs to sign the ZSK and thus the DNSKEY RRSet, the new KSK will always be signed by the old one and therefore its SEP properties cannot be tested? -Peter