[ksk-rollover] [Ext] Re: 15 days into the add-hold for KSK-2017

Edward Lewis edward.lewis at icann.org
Sat Jul 29 17:14:50 UTC 2017

No feedback at all. Nothing.

FWIW, all my personal servers picked it up. Haven't heard from anyone else.

There was no increase in size as the 11 July KSK addition happened along side a ZSK deletion. The KSK and ZSK are the same size, ever since the move to 2048 bits for the ZSK a few months ago.

What to look for recommendations are implementation (code and distro) specific. The best general advice is to check with the tool "supplier".

Sent from aomething with no kybosrd.

On Jul 29, 2017, at 07:21, Olaf Kolkman <kolkman at isoc.org<mailto:kolkman at isoc.org>> wrote:

Has there been any feedback on the changes so far? Did the increase in the DNSKEY RR set trigger anything?

Is there any advice we can give to resolver ops in a month or so? Like check your trust anchor it should now contain <blob>?


On 26 Jul 2017, at 7:08, Edward Lewis wrote:

Wanted to "mark the occasion" and ask if there are any further concerns?

RFC-5011 following servers ought to be about halfway to trusting KSK-2017 about this day, with the add-hold expiring around August 11, give or take time zones and when probing happened.

That's halfway to "trusting" the key. There's still 2.5 more months (October 11) until signatures by KSK-2017 appear.

ksk-rollover mailing list
ksk-rollover at icann.org<mailto:ksk-rollover at icann.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20170729/f41f2736/attachment.html>

More information about the ksk-rollover mailing list