On 28/09/2018 11:37, Ray Bellis wrote: Hi Ray,
> At this time the old key will be removed from the root zone leaving only > the new key (id 20326) in the zone. If your DNS servers don't know and > trust the new key at that point then DNSSEC validation errors will occur. On 11 October, the old key won't be removed. On that day, the new key will start signing the DNSKEY RRset. The old key (id 19036), will remain in the root zone; it just won't sign the DNSKEY RRset. Eventually, in the first quarter of 2019, it will be revoked, and then removed *after* the hold-down period. Regards, Anand _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users