[ksk-rollover] Future rollover planning opportunities

Peter van Dijk peter.van.dijk at powerdns.com
Wed Feb 20 20:06:06 UTC 2019

On 20 Feb 2019, at 13:29, Tony Finch wrote:

> However there has to be a bootstrap mechanism, and the only one 
> available
> is for the validator vendor to provide an initial key set.

If it can provide an initial key set, it can also provide a current key 
set. See below :)

> I agree that rollovers need to be routine (I think annual makes sense) 
> but
> they have to be planned with software releases in mind.

I strongly disagree. Users have a trust relationship that everything is 
built on already - that with their software vendors. For most people, 
that is ‘Debian’ or ‘CentOS’ or perhaps ‘Microsoft’. Debian 
already ships a dns-root-data package that contains the current root 
trust anchors.  This package is updated outside of any release schedules 
imposed by ISC, PowerDNS, NLnetlabs, etc.

I understand that the RedHat/CentOS/Fedora side of things also has plans 
for this, or maybe has done this meanwhile.

Please build on that relationship. It’s all we need.

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the ksk-rollover mailing list