[ksk-change] Helping the panel name the reasons for the KSK rollover

Ashley Heineman AHeineman at ntia.doc.gov
Mon Feb 23 16:55:27 UTC 2015

FWIW - NTIA considers them separate documents and do not see a contradiction. The baseline requirements are exactly that (baseline requirements) and the DPS was one mechanism by which the RZM partners worked to fulfill / and flesh out the requirements.  My recollection is that, at the outset, we all agreed that there would be "scheduled" rollovers.  The issue was that we (NTIA-NIST) didn't want to bind the partners with a pre-cooked schedule or notion of what the schedule should be as this was kind of unchartered waters at the time, but recognized the need for rollovers and that the issue of what "schedule" they would be on needed to be thoroughly discussed, considered, and potentially reconsidered.  

-----Original Message-----
From: Richard Lamb [mailto:richard.lamb at icann.org] 
Sent: Monday, February 23, 2015 11:41 AM
To: Paul Hoffman; Ashley Heineman
Cc: ksk-rollover at icann.org
Subject: RE: [ksk-change] Helping the panel name the reasons for the KSK rollover

Both ZSK and KSK DPSs were written and cleared by all the root zone
management partners design team (VRSN, ICANN, NTIA) so I believe DPSs and
requirements documents are consistent with each other.  
That was my understanding...we would roll but when was up for discussion.

Do you see a contradiction?  
Happy to hear what others think.  I am not the best at details like
Jakob+Fredrik were.  


-----Original Message-----
From: ksk-rollover-bounces at icann.org [mailto:ksk-rollover-bounces at icann.org]
On Behalf Of Paul Hoffman
Sent: Monday, February 23, 2015 5:30 PM
To: Ashley Heineman
Cc: ksk-rollover at icann.org
Subject: Re: [ksk-change] Helping the panel name the reasons for the KSK

On Feb 23, 2015, at 8:11 AM, Ashley Heineman <AHeineman at ntia.doc.gov> wrote:
> Just want to point out that "scheduled rollover of the KSK" was an
original basic requirement when DNSSEC was implemented at the root.
Specifically (as referenced in the baseline requirements, with the footnote
> "c) Root Zone KSK Rollover
> i) Scheduled rollover of the RZ KSK shall be performed.12
> 12 The Department envisions the timeline for scheduled rollover of the 
> RZ KSK to be jointly developed and proposed by ICANN and VeriSign, 
> based on consultation and input from the affected parties (e.g. root 
> server operators, large-scale resolver operators, etc). Note that
subsequent test plans may specify more or less frequent RZ KSK rollover to
ensure adequate testing."

Is that subsumed by "DPS statement -- Section 6.5 of the DPS for the root
zone says that the KSK will be rolled over after five years of operation,
and that time has already passed.", or do you consider the contents of that
footnote a separate issue?

--Paul Hoffman
ksk-rollover mailing list
ksk-rollover at icann.org

More information about the ksk-rollover mailing list