[ksk-rollover] Revoking KSK-2010 imminent

Paul Hoffman paul.hoffman at icann.org
Sun Jan 6 18:02:21 UTC 2019

On 6 Jan 2019, at 9:14, Chris Thompson wrote:

> With the revoking of KSK-2010 in the root DNSKEY RRset due in 5 days time,
> is no one at all nervous about possible consequences?
> A couple of more specific question:
> 1. This has been asked before, but is anyone analysing the RFC 8145 data
>   to see how many servers are reporting that they only trust KSK-2017,
>   and are they in a position to track how this changes during the revoking
>   process? The graphs at http://root-trust-anchor-reports.research.icann.org/
>   are described in terms of servers trusting only KSK-2010 vs. all others.
> 2. In the unlikely event that publishing a revoked KSK-2010 causes significant
>   problems (e.g. the new high water mark for the size of a signed DNSKEY
>   response has been mentioned), do ICANN have a back-off strategy (e.g. to
>   delay the revoking)?

ICANN cannot "delay" the revoking once it has started because some validating resolvers will have already seen the DNSKEY RRset that has the revoke bit for KSK-2010 turned on. However, if there are significant problems, there is a fallback DNSKEY RRset that is the same as the one that will be published but without the revoke bit set. ICANN (and many others) will be monitoring for signs of significant problems for the 48 hours after the new DNSKEY RRset is published.

--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3915 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190106/fdeb4d7b/smime.p7s>

More information about the ksk-rollover mailing list