[ksk-rollover] Retention of the 2010 KSK
warren at kumari.net
Thu Apr 25 11:33:11 UTC 2019
Excellent, thank you - partly for the decision, but even more so for the
clear communication, backed up with clear reasoning.
On Wed, Apr 24, 2019 at 2:58 PM David Prangnell <david.prangnell at iana.org>
> To Whom It May Concern,
> We have carefully reviewed the recent discussions about retaining KSK-2010
> beyond its scheduled lifetime to enable a possible future as-yet-undefined
> technique to bootstrap a validator that has been offline for an extended
> period. We have decided to proceed with the deletion of the KSK-2010 as
> scheduled on 16 May 2019 from the Key Management Facility (KMF) East and
> then on 14 August 2019 from the KMF West.
> We have made the decision based on these factors:
> - On 11 January 2019, the root zone was published with KSK-2010 marked
> as revoked. The KSK-2010 key was also marked as expired in the
> root-anchors.xml file.
> - Since 22 March 2019, the root zone is no longer published with
> KSK-2010 in the DNSKEY record set.
> - We have not received a strong indication of how the KSK-2010 would
> be used in the future.
> - It seems likely any technique to bootstrap offline validators would
> be implemented in software that can reasonably assumed to, at a minimum, be
> configured with KSK-2017.
> - Deletion of the KSK-2010 is an activity prescribed in the KSK
> rollover plan  and also in the DNSSEC Practice Statements (DPS) .
> Thank you,
> David Prangnell
> Email: david.prangnell at iana.org
>  Page 15 at
>  Section 6.5 at
> ksk-rollover mailing list
> ksk-rollover at icann.org
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ksk-rollover