On 1/22/2015 8:32 PM, Ted Cooper wrote:
On 23/01/15 04:50, John wrote:

Why a formal period between "ready" and "active", surely if the
publishing period is correctly chosen then a key is activated when
ready. Similarly when a key has reach the end of its retirement and is
dead, surely it should be removed from the system asap. The more junk
there is lying around the greater the likely hood of error.

The time period between "ready" and "active" is the allow for the key to
be returned in DNSKEY RR without that key actively being used in
signing. This prevents a caching resolver being caught between a key
rotation where it ends up with the old set of DNSKEY cached, and RRs
signed with a new key not in that set.

The same mechanism can also be used to have an key ready for emergency
rotation. They key is already published and can be used for signing
immediately, rather than waiting for TTLs.
I thought that was what the Publish interval was all about? Why three periods, inception - publish/publish - ready/ready - active?
I could see ready state for a standby key, maybe?  However, as these periods are not bound to a length of time, but to occurrence of the their start and end events. So a standby key can be defined as any key that has been published but not activated. 
At the other end, the time between active and unpublished is to allow
for resolvers to be able to validate their old signed RR with the old
DNSKEY until TTL for everything has passed.
That I understand, but why the period from unpublished to dead.  Surely once a key has reached unpublished it is dead and should be deleted asap! So why the define a period between unpublished and dead?

John Allen