[ksk-rollover] followup of DNSSEC Workshop at ICANN64
Tony Finch
dot at dotat.at
Thu Mar 14 14:07:39 UTC 2019
Michael Richardson <mcr+ietf at sandelman.ca> wrote:
>
> I also want regular rollover, and I'd like it to be frequent enough that it
> gets tested. I also want it infrequent enough to never be without an anchor.
Trust anchor lifetime can be decoupled from rollover frequency.
If keys are generated a few years in advance of going into active use,
there is plenty of time for them to be disseminated beforehand. They do
not have to be pre-published in the zone (although that is what RFC 5011
was designed for); they can be distributed out of band by software updates
or other means. If there are annual rollovers with keys generated N years
in advance, at any time there will be N pre-published keys one of which
might be pre-published in the zone, one active KSK in production, and
maybe one in retirement.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Irish Sea: West or southwest 6 to gale 8, decreasing 5 for a time. Rough,
becoming moderate. Rain. Moderate or good.
More information about the ksk-rollover
mailing list