[ksk-rollover] When is the KSK rollover complete?

Chris Thompson cet1 at cam.ac.uk
Mon Nov 5 15:23:56 UTC 2018 

On Oct 30 2018, Matthew Pounsett wrote:

>On Mon, 29 Oct 2018 at 12:21, Paul Hoffman <paul.hoffman at icann.org> wrote:
>
>> On Oct 29, 2018, at 9:08 AM, Chris Thompson <cet1 at cam.ac.uk> wrote:
>> >
>> > On Oct 29 2018, Paul Hoffman wrote:
>> >
>> >> * Y'all did remember that the rollover isn't complete until we revoke
>> >> KSK-2010 on 11 January 2019, yes?
>> >
>> > Or maybe 70 days later (22 March) when the revoked KSK-2010 disappears
>> > from the root zone?
>>
>> Good catch! We know that some software that does DNSSEC validation doesn't
>> implement RFC 5011. The fact that the REVOKE bit is turned on in the record
>> for KSK-2010 in DNSKEY RRset won't mean anything to systems running that
>> software unless they also update their trust anchor files to only include
>> KSK-2017.
>>
>
>Although anything that doesn't implement 5011 should already be
>experiencing problems since KSK-2010 is no longer being used to sign
>anything.  Any of those systems that are not experiencing problems now must
>have had their trust anchor manually updated, and revocation or removal of
>KSK-2010 should be irrelevant to them.  I would expect the only problems to
>be exposed by revocation or removal of KSK-2010 to be bugs in 5011
>implementations.

This surely isn't right? Validators using statically configured trust
anchors (e.g. using "trusted-keys" rather than "managed-keys" in BIND)
and having both KSK-2010 and KSK-2017 configured as trust anchors will
go on working just fine. If this wasn't the case, they would not have
been able to add a trust anchor for KSK-2017 in advance of the rollover.

At some point we will want to see some statistics about RFC 8145
signals that indicate trusting only KSK-2017. Maybe there is even
some such data available already, even if it isn't shown in the
graphs at http://root-trust-anchor-reports.research.icann.org/ ?
(It is interesting, though, that those graphs show only a rather
modest decrease in the KSK-2010-only signals during October.)

-- 
Chris Thompson
Email: cet1 at cam.ac.uk

More information about the ksk-rollover mailing list