[ksk-change] Helping the panel name the reasons for the KSK rollover

Paul Hoffman paul.hoffman at vpnc.org
Mon Feb 23 16:30:20 UTC 2015

On Feb 23, 2015, at 8:11 AM, Ashley Heineman <AHeineman at ntia.doc.gov> wrote:
> Just want to point out that "scheduled rollover of the KSK" was an original basic requirement when DNSSEC was implemented at the root.   Specifically (as referenced in the baseline requirements, with the footnote 12, http://www.ntia.doc.gov/files/ntia/publications/dnssec_requirements_102909.pdf):
> "c) Root Zone KSK Rollover
> i) Scheduled rollover of the RZ KSK shall be performed.12
> 12 The Department envisions the timeline for scheduled rollover of the RZ KSK to be jointly developed and
> proposed by ICANN and VeriSign, based on consultation and input from the affected parties (e.g. root server
> operators, large-scale resolver operators, etc). Note that subsequent test plans may specify more or less
> frequent RZ KSK rollover to ensure adequate testing."

Is that subsumed by "DPS statement -- Section 6.5 of the DPS for the root zone says that the KSK will be rolled over after five years of operation, and that time has already passed.", or do you consider the contents of that footnote a separate issue?

--Paul Hoffman

More information about the ksk-rollover mailing list