[ksk-change] Keeping two KSK keys long term

Oct. 1, 2014

      Greetings again. It is my impression that having two (or more) KSK keys long term makes 5011 rollovers a bit less problematic, but I could be misunderstanding some of the subtleties of 5011 when mixed with draft-ietf-dnsop-dnssec-key-timing. If it is better, I would propose that the timing of the KSK change be "add second and third key, wait a bit, remove current (first) key" over "add a second key, wait a bit, remove the current (first) key, wait a bit, add a new key (so we have two)".

Thoughts?

--Paul Hoffman