[ksk-change] Testing new keys added

Paul Hoffman paul.hoffman at vpnc.org
Fri Oct 10 02:19:53 UTC 2014

Greetings again. Pure conjecture below.

Assuming that a rollover uses the Double-KSK method described previously, is there an intention to test systems for the new SEP key before removing the old one? That is, if A is the current KSK and IANA adds B, after the 30-day hold-down time, either key could be used to sign zones in the root.

One thought is to sign a test TLD "dywnagrebo" with just B, have an IANA-supported server that is authoritative for dywnagrebo, and include URLs such as www.test.dywnagrebo in some environments where they might be resolved. I'm not sure how one might be able to see when a lookup fails due to validation (as compared to failing due to it being a new TLD), so this could be a useless idea. However, more creative people here might be able to design a way to actually test that the B KSK is widely loaded before A is removed.

--Paul Hoffman

More information about the ksk-rollover mailing list