> Why do you need to add the DNSKEY of the previous KSK to the unsigned > zone? If someone has the old DNSKEY RRSIG cached, he/she also has the > old DNSKEYs cached and is able to validate the DNSKEY RRset.
Nope. RRSIG and DNSKEY RRSets have often different TTLs and even if they were same they will almost never be cached at the same time. Ondrej -- Ondřej Surý <[email protected]> http://blog.rfc1925.org/ _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
