Ahh.. Got it. Thank you. I was on the wrong plane of thought. Engineering is not the hard part here. Sent from my iPhone On Oct 10, 2014, at 12:56, Michael StJohns <msj@nthpermutation.com<mailto:msj@nthpermutation.com>> wrote: On 10/10/2014 3:08 PM, Richard Lamb wrote: Jakob's right. If I understand question correctly, you always need two KSK RRSIGs to be able to simultaneously validate with either TA. I learned that when I was testing ksrsigner.c for key rolls. -Rick That's not what the stuff below was about exactly. The issue is actually that the trust chains from A and B can't ever be independent because both chains must pass through the monolithic signed root DNSKEY RRSet. So its impossible to set up a zone that can *only* be verified if you've installed "B" as a trust anchor. (*sigh* That's not exactly the right way to say it but close enough for government work....) Mike -----Original Message----- From: ksk-rollover-bounces@icann.org<mailto:ksk-rollover-bounces@icann.org> [mailto:ksk-rollover-bounces@icann.org] On Behalf Of Jakob Schlyter Sent: Thursday, October 09, 2014 11:06 PM To: Paul Hoffman Cc: ksk-rollover@icann.org<mailto:ksk-rollover@icann.org> Subject: Re: [ksk-change] Testing new keys added On 10 okt 2014, at 04:19, Paul Hoffman <paul.hoffman@vpnc.org><mailto:paul.hoffman@vpnc.org> wrote: Assuming that a rollover uses the Double-KSK method described previously, is there an intention to test systems for the new SEP key before removing the old one? That is, if A is the current KSK and IANA adds B, after the 30-day hold-down time, either key could be used to sign zones in the root. No, both keys needs to sign the ZSK that signs the DS records in the root zone. And that invalidates the rest of your (otherwise interesting) proposal. Sorry :-/ jakob _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org<mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org<mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org<mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover