[ksk-rollover] Automated Updates (aka RFC 5011) add-hold for the new root zone KSK expires soon

Evan Hunt each at isc.org
Thu Aug 10 17:59:13 UTC 2017

On Thu, Aug 10, 2017 at 03:19:42PM +0000, Paul Hoffman wrote:
> Doesn't the actual time depend on when they grabbed the key? Thus, isn't
> there a 48-hour window for when other people will have the new key be
> trusted? Or am I missing something about RFC 5011?

Correct, it would be 30 days after the first time the key was seen in
a refresh query.

The root DNSKEY TTL is two days and I believe the refresh query interval is
half the TTL, so unlucky timing in a forwarding resolver could delay
discovery of a new key up to three days.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the ksk-rollover mailing list