[ksk-rollover] The timing of publication of signatures by new KSK
Ólafur Guðmundsson
olafur at cloudflare.com
Thu Jun 8 18:55:50 UTC 2017
Dear Icann and Verisign,
It is real important for Resolver operators to know when this happens as
the publication time starts the clock on when validation failures begin.
About 48 after last root server starts advertising the new DNSKEY closes
the window of when last resolvers will start returning errors.
Thus I request that ICANN + Verisign commit to publish the DNSKEY set
signed by the new KSK on October 11'th at 12:00 UTC as that is the only
time it is October 11'th everywhere in the world.
This way we can know that all errors will be visible before 13:00 UTC on
Oct 13'th, as over 99% of root servers load up new zone in less than an
hour (I hope)
Olafur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20170608/28e66d21/attachment.html>
More information about the ksk-rollover
mailing list