[ksk-rollover] Retention of the 2010 KSK
housley at vigilsec.com
Wed Apr 24 19:32:27 UTC 2019
Thanks. Your reasoning is clear, and this seems like good cryptographic key hygiene as promised in the KSK DPS.
> On Apr 24, 2019, at 2:57 PM, David Prangnell <david.prangnell at iana.org> wrote:
> To Whom It May Concern,
> We have carefully reviewed the recent discussions about retaining KSK-2010 beyond its scheduled lifetime to enable a possible future as-yet-undefined technique to bootstrap a validator that has been offline for an extended period. We have decided to proceed with the deletion of the KSK-2010 as scheduled on 16 May 2019 from the Key Management Facility (KMF) East and then on 14 August 2019 from the KMF West.
> We have made the decision based on these factors:
> On 11 January 2019, the root zone was published with KSK-2010 marked as revoked. The KSK-2010 key was also marked as expired in the root-anchors.xml file.
> Since 22 March 2019, the root zone is no longer published with KSK-2010 in the DNSKEY record set.
> We have not received a strong indication of how the KSK-2010 would be used in the future.
> It seems likely any technique to bootstrap offline validators would be implemented in software that can reasonably assumed to, at a minimum, be configured with KSK-2017.
> Deletion of the KSK-2010 is an activity prescribed in the KSK rollover plan  and also in the DNSSEC Practice Statements (DPS) .
> Thank you,
> David Prangnell
> Email: david.prangnell at iana.org <mailto:david.prangnell at iana.org>
>  Page 15 at https://www.icann.org/en/system/files/files/ksk-rollover-operational-implementation-plan-22jul16-en.pdf <https://www.icann.org/en/system/files/files/ksk-rollover-operational-implementation-plan-22jul16-en.pdf>
>  Section 6.5 at https://www.iana.org/dnssec/dps/ksk-operator/ksk-dps.txt <https://www.iana.org/dnssec/dps/ksk-operator/ksk-dps.txt>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ksk-rollover