[ksk-rollover] followup of DNSSEC Workshop at ICANN64

Tony Finch dot at dotat.at
Thu Mar 14 14:07:39 UTC 2019

Michael Richardson <mcr+ietf at sandelman.ca> wrote:
> I also want regular rollover, and I'd like it to be frequent enough that it
> gets tested.  I also want it infrequent enough to never be without an anchor.

Trust anchor lifetime can be decoupled from rollover frequency.

If keys are generated a few years in advance of going into active use,
there is plenty of time for them to be disseminated beforehand. They do
not have to be pre-published in the zone (although that is what RFC 5011
was designed for); they can be distributed out of band by software updates
or other means.  If there are annual rollovers with keys generated N years
in advance, at any time there will be N pre-published keys one of which
might be pre-published in the zone, one active KSK in production, and
maybe one in retirement.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Irish Sea: West or southwest 6 to gale 8, decreasing 5 for a time. Rough,
becoming moderate. Rain. Moderate or good.

More information about the ksk-rollover mailing list