Matthijs, > > my attention has been brought to the KSK rollover double-signature style > > described in 6781 and what I think is a mistake/oblivion there. Section > > 4.1.2 states
[...] > You are right: DS_K_2 may only be provided to the parent *after* the TTL > of DNSKEY_K_1 has passed. RFC 7583 has more accurate timings for > rollovers. The corresponding timeline is described in section 3.3.1. thanks for the pointer. RFC 7583 does it right. That begs for the question: how to deal with the wrong information propagated in 6781? Submit errata? Label it "Updated by 7583"? Best, Marcos _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop