[dnssec-deployment] Signatures on the DNSKEY
daniel at digsys.bg
Tue Oct 27 21:55:57 EDT 2009
Edward Lewis ??????:
> Transiting from ZSK only to KSK/ZSK will be rare, both in the number
> of times it happens and the time span in which it occurs will be
> short. Operationally there's a tradeoff between handling this corner
> case well versus the much more common "normal case." I'd rather
> optimize for the normal case.
I probably missed to comment on this earlier, but imagine that a
Registrant moves from one DNS operator to another. Their DNS operator is
also handling DNSSEC for the zone. One of their operators has ZSK-only
signing infrastructure, while the other has KSK/ZSK signing infrastructure.
Therefore, this case may happen very often in the not so distant future.
More information about the Dnssec-deployment