[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Doug Barton dougb at dougbarton.email
Mon Sep 22 05:43:14 UTC 2014

On 9/21/14 10:29 PM, Michael StJohns wrote:
> On 9/21/2014 10:55 PM, David Conrad wrote:
>> Since we have to deal with a “full trust reboot” and that provides a
>> superset of functionality to 5011, I’m still unclear as to why we care
>> about 5011.
> By the way, I just realized that the above is somewhat equivalent to "If
> we can just buy a new car when one breaks, then why would we need repair
> shops."  Just saying.  5011 is the repair shop.

I'm pro-5011, and I think we should definitely be working towards a key 
succession strategy. (more on that later)

But, we should be clear that while 5011 is the best tool we have, and 
will be effective for a significant percentage of end users, it won't be 
anywhere close to universally effective. Even things like dnsmasq, which 
is widely used, and recently gained DNSSEC support, will not be helped 
by 5011, it's still a manual process. There are (of course) many other 


More information about the ksk-rollover mailing list