Bob Harold <rharo...@umich.edu> writes: > I might be wrong, but it would seem to me that the doc covers two situations: > 1. How long to wait after publishing a key before signing exclusively with > that key.
Thank you. That is exactly the intent of the document. > 2. How long after you stop signing with a key before you remove it. Actually, it's how long you have to wait before removing a key that you set the revoke bit on. > And both should apply no matter how many keys a zone happens to have. Yes yes yes. It has nothing to do with the number of keys. It's purely the "if you exclusively sign with a (any) new key before it has been published for this length of time, you're vulnerable to attack". -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
