From 4155ad932485eaf6021357f43f241fece2775fd0 Mon Sep 17 00:00:00 2001
From: Lucas <lucas@domain.invalid>
Date: Sun, 27 Dec 2020 15:47:54 +0000
Subject: [PATCH] Update ZSK rotation instructions

---
 procedures/key-rotation.txt | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/procedures/key-rotation.txt b/procedures/key-rotation.txt
index c303cc0..b8eb451 100644
--- a/procedures/key-rotation.txt
+++ b/procedures/key-rotation.txt
@@ -15,9 +15,10 @@ Assumes:
 3. Sign DNSKEY RRs with KSK
 4. Sign rest of the zone with ZSK_c
 5. Publish signed zones, which includes:
-   - DNSKEY RRs for ZSK_c and ZSK_n signed by KSK
+   - DNSKEY RRs for ZSK_p, ZSK_c and ZSK_n signed by KSK
    - Every other RR signed by ZSK_c
-   - Does not include ZSK_p DNSKEY RR nor any RRSIG signed by ZSK_p
+   - Does not include any RRSIG signed by ZSK_p
+6. After cache expires, delete ZSK_p DNSKEY RR.
 
 NSEC3PARAM
 ----------