AW: [dns-operations] TLD .law - non-signing KSK with referenced DS

Alexander Mayrhofer alexander.mayrhofer at nic.at
Mon Jan 17 08:09:42 UTC 2022


Hello,

> Von: dns-operations <dns-operations-bounces at dns-oarc.net> Im Auftrag
> von Ondrej Surý
> Gesendet: Freitag, 14. Jänner 2022 11:35
>
> Yes, the non-signing KSK could be offline disaster recovery key. There’s
> nothing wrong about having more keys in DS than used because the change
> process for DS is more complicated than swapping the active key in the zone.

[AM] I can second what Ondrej has written. We (.at) do have an identical setup with an (additional) emergency key that's in the root zone, but not used under normal operational circumstances to sign the zone. The management of that disaster recovery key is completely disjunct from our "main" key. 

Best,
Alex





More information about the dns-operations mailing list