[ksk-rollover] followup of DNSSEC Workshop at ICANN64
Warren Kumari
warren at kumari.net
Thu Mar 14 11:01:10 UTC 2019
On Thu, Mar 14, 2019 at 6:42 PM Fred Baker <fredbaker.ietf at gmail.com> wrote:
>
>
> > On Mar 14, 2019, at 5:58 PM, Shane Kerr <shane at time-travellers.org>
> wrote:
> >
> > Personally I would like to see rolls frequent enough that everything
> around a roll is automated.
>
> I mostly agree. I think the key thing is that key rolls must be *normal*
> and the software therefore designed with that assumption. For developers to
> believe that it is normal, it must be "frequent enough", whatever that
> means. I personally might vote for "quarterly" or "annual" if the
> implication is only that operators needed to be aware that it was happening
> in case something breaks, and 2-3 years might actually be OK, but for sure
> not "every five years".
>
So, my original "gut feel" was approximately every year, and I still feel
that that is roughly the right frequency -- but, I think that we first need
to figure out what the cause of the increase in DNSKEY lookups is - it
concerns me that we predicted no impact from the revocation, and we got...
this. I think that, assuming we figure out the causes of the increase (and
understand them well enough that we are fairly sure that they won't jump
again!), my gut still says ~1year -- but, more research needed...
W
>
> --------------------------------------------------------------------------------
> Victorious warriors win first and then go to war,
> Defeated warriors go to war first and then seek to win.
> Sun Tzu
>
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
>
--
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
---maf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190314/aec380fa/attachment.html>
More information about the ksk-rollover
mailing list