[ksk-rollover] Revoking KSK-2010 imminent
Chris Thompson
cet1 at cam.ac.uk
Sun Jan 6 17:14:38 UTC 2019
With the revoking of KSK-2010 in the root DNSKEY RRset due in 5 days time,
is no one at all nervous about possible consequences?
A couple of more specific question:
1. This has been asked before, but is anyone analysing the RFC 8145 data
to see how many servers are reporting that they only trust KSK-2017,
and are they in a position to track how this changes during the revoking
process? The graphs at http://root-trust-anchor-reports.research.icann.org/
are described in terms of servers trusting only KSK-2010 vs. all others.
2. In the unlikely event that publishing a revoked KSK-2010 causes significant
problems (e.g. the new high water mark for the size of a signed DNSKEY
response has been mentioned), do ICANN have a back-off strategy (e.g. to
delay the revoking)?
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the ksk-rollover
mailing list