[ksk-rollover] Current status of KSK-RollOver?

Rene 'Renne' Bartsch, B.Sc. Informatics ml at bartschnet.de
Wed Aug 29 22:36:39 UTC 2018

I have promoted DNSSEC for years and always heard the same bad excuses:

DNS server admins:         developers of hard- and software clients do not support DNSSEC
Hard-/software developers: DNS servers do not support DNSSEC
Users:			   configuration is a huge effort
All:			   KSK rollover will fail leading to an internet blackout

Bottom line:

Rolling out DNSSEC is not a technical but a social problem. It's called fear and laziness.
It seems the focus of the ICANN board is too technical to realize this.

The indecisiveness of the ICANN board makes all involved parties insecure.
If the KSK-rollover is postponed again, no one will take DNSSEC serious.
If the KSK-rollover becomes a big fail everyone will avoid DNSSEC.
It's time to get things done to gain the trust of all involved parties.

I suggest a marketing campaign to promote the benefits of the DNSSEC/DANE dyad for users
who will then push service providers and hard-/software developers.


Am 29.08.18 um 13:27 schrieb Matt Larson:
>> On Aug 29, 2018, at 7:06 AM, Shane Kerr <shane at time-travellers.org <mailto:shane at time-travellers.org>> wrote:
>> On 2018-08-29 11:23, Mark Elkins wrote:
>>> That Lithium battery inside the HSM with its five year life expectancy is in its sixth (or so) year?
>> I believe that HSM can be replaced without rolling the key, so this is not a strong motivator.
> Indeed, and we have already done so: the four original HSMs have been retired and replaced.
> Matt

More information about the ksk-rollover mailing list