[ksk-change] Capabilities of validating systems we need to consider

Michael StJohns msj at nthpermutation.com
Sun Sep 21 17:17:27 UTC 2014

On 9/21/2014 11:27 AM, Paul Hoffman wrote:
> Greetings again. In thinking about the question of "what would happen if we changed the KSK", but without thinking about why and when, it would be good to think about what kinds of systems are out there. My initial list came to three categories of capabilities:
> 1) Able to automatically pull and correctly use a new KSK
5011 or something else.
> 2) Cannot automatically pull a new KSK, or cannot correctly use an automatically-pulled KSK; however, it can correctly get and use a new KSK with operator intervention
That sounds like just pulling down a file and restarting the resolver 
which should be the case for pretty much any normal resolver.  Maybe an 
issue with middle boxes like home routers, but I'm not aware of any 
device that does validation OOB without configuration.
> 3) Even with operator intervention, cannot pull a new KSK or cannot correctly use an manually-pulled KSK

Is there an actual example of such a box.  I'd basically call it bricked 
and replace it if I had one in this category.

Last category is (4) doesn't know or care about DNSSEC.
> Are there other categories that would look operationally different to either customers of the system or to operators of signed zones?
> We will certainly later debate how many systems are in these categories and if those systems are "important", but it would be good to start with the smallest complete set to talk about.
> --Paul Hoffman
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

More information about the ksk-rollover mailing list