Hi - For the purposes of this message, I'm assuming we're talking not about placing a removed non-revoked key back into service, but placing a revoked key back into service. The way 5011 works is that there's a remove hold down time for the trust anchor database at a resolver. It's there to allow the resolver to purge old data after its no longer valid. Revoking a trust anchor both removes the key from the trust anchor set and makes it useless for signing things. At the completion of the remove hold down time, say the resolver purges all knowledge of the trust anchor key, and then say the resolver sees something signed by that key. Since the key isn't affirmatively a trust anchor key, a chain of trust can't be traced from it. A zone owner *could* place it back into service as a trust anchor, but would have to go through the same process it uses to add any other trust anchor key. Not a good idea, but also not really a threat surface. Mike