[ksk-rollover] Automated Updates (aka RFC 5011) add-hold for the new root zone KSK expires soon

Paul Hoffman paul.hoffman at icann.org
Thu Aug 10 15:19:42 UTC 2017

On Aug 9, 2017, at 10:31 AM, Edward Lewis <edward.lewis at icann.org> wrote:
> Looking at my records, the new KSK appeared between 2017-07-11 at 1305UTC and 2017-07-11 at 1405UTC.  (I run some probes at 5 minutes after the hour.)
> "30 Days later" means 10 August (not 11 August!).  We are less than 24 hours away from that as I write this message (about 20 hours now).

Doesn't the actual time depend on when they grabbed the key? Thus, isn't there a 48-hour window for when other people will have the new key be trusted? Or am I missing something about RFC 5011?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3906 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20170810/b227dc11/smime.p7s>

More information about the ksk-rollover mailing list