[dns-operations] .fr has 5 DNSKEYs

Paul Wouters paul at xelerance.com
Mon May 30 20:07:05 UTC 2011


On Mon, 30 May 2011, Stephane Bortzmeyer wrote:

> By the way, I forgot to explain the .FR configuration, sorry. We keep
> a rescue key at all times. So the minimum number of keys is four (one
> KSK, one rescue KSK, one ZSK, one rescue ZSK). During rollovers, there
> is sometimes one more KSK or ZSK (and both if the rollovers happen to
> overlap).

Why would you need a "resue ZSK"? You can introduce any new ZSK at any
time with zero notice provided your current KSK signs it. Is this
something to do with HSMs in different locations?

Paul




More information about the dns-operations mailing list