The emergency procedures described for key roll-over use the rationale that injection of valid but false data (which can be generated using the compromised key) is more serious than discontinuity in our ability to validate true data. Thus, during emergency KSK roll-over, there will be a period (up to twice the maximum zone TTL) where it may not be possible to build an "authentication chain" from the zone data to the new KSK.

The DNSSEC-Tools utilities do not currently handle emergency KSK rollover. However, the utilities may be used to automate some of the steps required.