[dns-operations] Pre-publishing KSKs and ZSKs
anandb at ripe.net
Tue Nov 24 09:22:27 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Dear DNS folk,
I'm asking for opinions about pre-publishing KSKs and ZSKs. Our signer
software pre-publishes both by default, but provides an option not to.
Pre-publishing has the feature that in the event of an emergency
roll-over, they keys should already be cached. However, this appears
to be the only advantage. Otherwise, the standby keys make the DNSKEY
We publish our keys with a TTL of 1 hour, which is rather short. My
thinking is that with such a short TTL, we shouldn't need to
pre-publish standby keys, because we can introduce new keys quickly.
Would you all agree with my assessment? Have I missed any other
obvious reason for pre-publishing keys?
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the dns-operations