[ksk-rollover] Revoking KSK-2010 imminent

Chris Thompson cet1 at cam.ac.uk
Sun Jan 6 17:14:38 UTC 2019

With the revoking of KSK-2010 in the root DNSKEY RRset due in 5 days time,
is no one at all nervous about possible consequences?

A couple of more specific question:

1. This has been asked before, but is anyone analysing the RFC 8145 data
   to see how many servers are reporting that they only trust KSK-2017,
   and are they in a position to track how this changes during the revoking
   process? The graphs at http://root-trust-anchor-reports.research.icann.org/
   are described in terms of servers trusting only KSK-2010 vs. all others.

2. In the unlikely event that publishing a revoked KSK-2010 causes significant
   problems (e.g. the new high water mark for the size of a signed DNSKEY
   response has been mentioned), do ICANN have a back-off strategy (e.g. to
   delay the revoking)?

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the ksk-rollover mailing list