"This document describes a means for automated@ authenticated@ and authorized updating of DNSSEC ""trust anchors"". The method provides protection against N-1 key compromises of N keys in the trust point key set. Based on the trust established by the presence of a current anchor@ other anchors may be added at the same place in the hierarchy@ and@ ultimately@ supplant the existing anchor(s). This mechanism will require changes to resolver management behavior (but not resolver resolution behavior)@ and the addition of a single flag bit to the DNSKEY record."
RFC 5011-2007 history
2007RFC 5011-2007 Automated Updates of DNS Security (DNSSEC) Trust Anchors