The DNS Security Extensions (DNSSEC) works by validating so called
chains of authority. The start of these chains of authority are
usually public keys that are anchored in the DNS clients. These keys
are known as the so called trust anchors.
This memo describes a method how these client trust anchors can be
replaced using the DNS validation and querying mechanisms (in-band)
when the key pairs used for signing by zone owner are rolled.
This memo also describes a method to establish the validity of trust
anchors for initial configuration, or priming, using out of band