[ksk-rollover] thoughts to the list as requested

Paul Wouters paul at nohats.ca
Tue Apr 2 16:40:10 UTC 2019

On Tue, 2 Apr 2019, Matthew Pounsett wrote:

> On the subject of "nobody should bake a particular key into software...",  John Dickinson and I were entertaining the notion
> last week of writing up advice to the effect that implementers should deprecate the notion of non-5011 trust anchors;

Today this is simply impossible. All machines installed fresh within the
last 29 days of a KSK roll would die.

> I'm persuaded by the use case Paul Ebersman brought up, that some networks may prefer to control when and how trust anchor
> updates happen on their network, and so maybe this advice should be a statement about defaults, rather than advice to never have
> static keys.  

We've had this discussion a number of times over the years. You won't
get a different outcome now. 5011 is fundamentally broken and needs
another mechanism to support it or a mechanism to replace it.

Also, vendors already have static keys or OS updates. We update the system
store for CA certificates and DNSSEC root keys with that. We don't see
this as a big problem (granted, we don't look beyond EOL which you might
want to)


More information about the ksk-rollover mailing list