On 9/21/2014 2:27 PM, David Conrad wrote:

On Sep 21, 2014, at 11:15 AM, Tomofumi Okubo <tomofumi.okubo@gmail.com> wrote:

More than 1 standby key sounds even better!

How would this impact the size of responses?

Regards,
-drc

_______________________________________________
ksk-rollover mailing list
ksk-rollover@icann.org
https://mm.icann.org/mailman/listinfo/ksk-rollover

There's some (explicitly designed) weirdness in 5011 related to this. Basically, once a key is added to the trust anchor set, it remains there until revoked. Absence of the key in the DNSKEY RRSet does not affect its inclusion in the TA set. So you could add a deep stand by key leaving it in the DNSKEY RRSet for about 60 days (to ensure its addition as a trust anchor). Then excluding it from further RRSet publications until actually needed. The specific 5011 state is "missing".

Mike