[ksk-rollover] followup of DNSSEC Workshop at ICANN64

Ondrej Filip ondrej.filip at nic.cz
Thu Mar 14 13:57:37 UTC 2019

On 14. 03. 19 12:01, Warren Kumari wrote:
> So, my original "gut feel" was approximately every year, and I still
> feel that that is roughly the right frequency -- but, I think that we
> first need to figure out what the cause of the increase in DNSKEY
> lookups is - it concerns me that we predicted no impact from the
> revocation, and we got... this. I think that, assuming we figure out
> the causes of the increase (and understand them well enough that we
> are fairly sure that they won't jump again!), my gut still says ~1year
> -- but, more research needed...

As a producer of a DNS validating CPE device/router, I must say, I am
not very excited about frequent roll-overs. If your device stays at a
retailer store for some time, you might be in a trouble. So I would
prefer some longer periods. But it is more important how much in
advance is the new key known/published.


> W
>     --------------------------------------------------------------------------------
>     Victorious warriors win first and then go to war,
>     Defeated warriors go to war first and then seek to win.
>          Sun Tzu
>     _______________________________________________
>     ksk-rollover mailing list
>     ksk-rollover at icann.org <mailto:ksk-rollover at icann.org>
>     https://mm.icann.org/mailman/listinfo/ksk-rollover
> -- 
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

 (  CZ.NIC z.s.p.o.                              )
  Ondrej Filip  -  CEO

  Office : Milesovska 5, Praha 3,  Czech Republic
  Email  : ondrej.filip at nic.cz  http://www.nic.cz
  Private: feela at network.cz

More information about the ksk-rollover mailing list