[ksk-rollover] Revoking KSK-2010 imminent

Paul Wouters paul at nohats.ca
Sun Jan 6 23:23:55 UTC 2019

On Jan 6, 2019, at 17:49, Geoff Huston <gih at apnic.net> wrote:
> As far as I understand the situation there is one small risk factor - the revoked key will inflate the size of the response to a root zone DNSKEY query to 1449 octets (as I recall). The combination of the possibility of fragmentation and some root servers performing response truncation implies a small risk of some DNSSEC-validating resolvers being unable to retrieve the root zone DNSKEY RR and going ‘dark’.
> However, this seems like a pretty small risk - other zones, such as .org, use a far larger response, and if a validating resolver is going to get caught out on being unable to receive large responses then it already has problems with .org names!

Also, if it turns out to be an actual problem, the dnskey RRset without the revoked key can be restored quickly. The only bad effect would be that not all RFC 5011 compliant revolvers remove the old no longer used key from their trust set. And all copies of that key can/should be destroyed soon anyway :)


More information about the ksk-rollover mailing list