[ksk-rollover] Current status of KSK-RollOver?

Petr Špaček petr.spacek at nic.cz
Mon Sep 10 12:45:04 UTC 2018

On 30.8.2018 01:24, David Conrad wrote:
> Hi,
> On Aug 29, 2018, at 3:36 PM, Rene 'Renne' Bartsch, B.Sc. Informatics via
> ksk-rollover <ksk-rollover at icann.org <mailto:ksk-rollover at icann.org>> wrote:
>> Rolling out DNSSEC is not a technical but a social problem. It's
>> called fear and laziness.
>> It seems the focus of the ICANN board is too technical to realize this.
> In my experience, it is rare for someone to say the focus of ICANN’s
> board “too technical” :).
>> The indecisiveness of the ICANN board makes all involved parties insecure.
> To clarify, the Board has not been not indecisive. They haven’t yet been
> asked to make a decision on rolling the KSK.
>> I suggest a marketing campaign to promote the benefits of the
>> DNSSEC/DANE dyad for users
>> who will then push service providers and hard-/software developers.
> We (staff) would love to hear thoughts on benefits of DNSSEC/DANE (we

I would put https://tools.ietf.org/html/rfc7477 aka
"Child-to-Parent Synchronization in DNS"
on the list.

DNSSEC is required to do this in a secure way but once we have it we can
get rid of parent-child NS desynchronization problem.

That would help a lot with DNS operations/debugging because parent-child
desync can be lurking for months or even years before last NS is moved
elsewhere and then whole domain breaks suddenly.

Petr Špaček  @  CZ.NIC

More information about the ksk-rollover mailing list