[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

David Conrad david.conrad at icann.org
Mon Sep 22 06:05:15 UTC 2014


On Sep 21, 2014, at 9:41 PM, Tomofumi Okubo <tomofumi.okubo at gmail.com> wrote:
> I think the huge difference between the CA business and Root DNSSEC is
> that there is no going out-of-business for Root DNSSEC.

I agree 100%, which is why I tend to be (perhaps overly) concerned with minimizing risks.

> It doesn’t matter how ugly it gets, we have no option but to recover and keep on providing the service at all costs.

I don’t think there is any disagreement here on this issue. The question is how risks are mitigated. 

AFAICT, there is an assumption that there are two modes of potential failure: (a) a catastrophic failure in which the only option is re-bootstrapping and (b) a non-catastrophic failure in which 5011 is a (potentially) viable solution.

Is anyone arguing that we do not need to be prepared for (a), regardless of how unlikely it might be?

What exactly does (b) look like? That is, what is a non-catastrophic failure that would necessitate a key roll?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20140922/79f6d318/signature.asc>

More information about the ksk-rollover mailing list