On 23/01/15 04:50, John wrote:
Why a formal period between "ready" and "active", surely if the publishing period is correctly chosen then a key is activated when ready. Similarly when a key has reach the end of its retirement and is dead, surely it should be removed from the system asap. The more junk there is lying around the greater the likely hood of error.
The time period between "ready" and "active" is the allow for the key to be returned in DNSKEY RR without that key actively being used in signing. This prevents a caching resolver being caught between a key rotation where it ends up with the old set of DNSKEY cached, and RRs signed with a new key not in that set.
The same mechanism can also be used to have an key ready for emergency rotation. They key is already published and can be used for signing immediately, rather than waiting for TTLs.
At the other end, the time between active and unpublished is to allow for resolvers to be able to validate their old signed RR with the old DNSKEY until TTL for everything has passed.