[ksk-rollover] followup of DNSSEC Workshop at ICANN64

Warren Kumari warren at kumari.net
Thu Mar 14 11:01:10 UTC 2019

On Thu, Mar 14, 2019 at 6:42 PM Fred Baker <fredbaker.ietf at gmail.com> wrote:

> > On Mar 14, 2019, at 5:58 PM, Shane Kerr <shane at time-travellers.org>
> wrote:
> >
> > Personally I would like to see rolls frequent enough that everything
> around a roll is automated.
> I mostly agree. I think the key thing is that key rolls must be *normal*
> and the software therefore designed with that assumption. For developers to
> believe that it is normal, it must be "frequent enough", whatever that
> means. I personally might vote for "quarterly" or "annual" if the
> implication is only that operators needed to be aware that it was happening
> in case something breaks, and 2-3 years might actually be OK, but for sure
> not "every five years".

So, my original "gut feel" was approximately every year, and I still feel
that that is roughly the right frequency -- but, I think that we first need
to figure out what the cause of the increase in DNSKEY lookups is - it
concerns me that we predicted no impact from the revocation, and we got...
this. I think that, assuming we figure out the causes of the increase (and
understand them well enough that we are fairly sure that they won't jump
again!), my gut still says ~1year -- but, more research needed...


> --------------------------------------------------------------------------------
> Victorious warriors win first and then go to war,
> Defeated warriors go to war first and then seek to win.
>      Sun Tzu
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190314/aec380fa/attachment.html>

More information about the ksk-rollover mailing list