New key signing key (KSK) for .SE

As from today, 2008-01-03 .SE publish and take into use a new KSK for signing the .SE zone file. The key published with start 2006 with key id = 17686 is unvalid since 2008-01-01 and will be removed 2008-02-01. You should have configured the key published with start Would it be possible to set the REVOKE Bit on that key, and announce it for another 30 days? Doing so enables a rfc5011 aware validator to discard the key automatically from the list of possible trust anchor. Without it, the key ends up in state missing on the validator side.

<quote rfc5011> Missing This is an abnormal state. The key remains a valid trust- point key, but was not seen at the resolver in the last validated DNSKEY RRSet. This is an abnormal state because the zone operator should be using the REVOKE bit prior to removal. </quote> So setting the revoke bit, would be one step to make the zone more compatible to RFC5011 (Automated Updates of DNS Security Trust Anchors) which is a way forward in implementing and using DNSSEC even without a signed root (and in absence of an elsewere trustable TAR). BTW: The same is true for all other signed TLDs and the signed zones managed by RIPE as well. Greets Holger