[ksk-rollover] Future rollover planning opportunities

Tony Finch dot at dotat.at
Wed Feb 20 12:29:59 UTC 2019

Fred Baker <fred at isc.org> wrote:
> The key consideration is that key rollovers are a "usual" event, and as
> such the key(s) should be something learned from the root and the root
> servers, not something configured or compiled into the resolver
> software.

However there has to be a bootstrap mechanism, and the only one available
is for the validator vendor to provide an initial key set.

I agree that rollovers need to be routine (I think annual makes sense) but
they have to be planned with software releases in mind. This might require
keys to be generated and promulgated out of band a long time before they
are published in the zone or used for signing. Then a vendor package can
include root keys covering the next couple of years, say.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
promote human rights and open government

More information about the ksk-rollover mailing list