[ksk-rollover] Retention of the 2010 KSK

David Prangnell david.prangnell at iana.org
Wed Apr 24 18:57:59 UTC 2019

To Whom It May Concern,

We have carefully reviewed the recent discussions about retaining KSK-2010 beyond its scheduled lifetime to enable a possible future as-yet-undefined technique to bootstrap a validator that has been offline for an extended period. We have decided to proceed with the deletion of the KSK-2010 as scheduled on 16 May 2019 from the Key Management Facility (KMF) East and then on 14 August 2019 from the KMF West.

We have made the decision based on these factors:

  *   On 11 January 2019, the root zone was published with KSK-2010 marked as revoked. The KSK-2010 key was also marked as expired in the root-anchors.xml file.
  *   Since 22 March 2019, the root zone is no longer published with KSK-2010 in the DNSKEY record set.
  *   We have not received a strong indication of how the KSK-2010 would be used in the future.
  *   It seems likely any technique to bootstrap offline validators would be implemented in software that can reasonably assumed to, at a minimum, be configured with KSK-2017.
  *   Deletion of the KSK-2010 is an activity prescribed in the KSK rollover plan [1] and also in the DNSSEC Practice Statements (DPS) [2].

Thank you,
David Prangnell
Email: david.prangnell at iana.org<mailto:david.prangnell at iana.org>

[1] Page 15 at https://www.icann.org/en/system/files/files/ksk-rollover-operational-implementation-plan-22jul16-en.pdf

[2] Section 6.5 at https://www.iana.org/dnssec/dps/ksk-operator/ksk-dps.txt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190424/f2c811a5/attachment.html>

More information about the ksk-rollover mailing list