[ksk-rollover] followup of DNSSEC Workshop at ICANN64

Michael Richardson mcr+ietf at sandelman.ca
Thu Mar 14 16:38:45 UTC 2019

Tony Finch <dot at dotat.at> wrote:
    >> I also want regular rollover, and I'd like it to be frequent enough that it
    >> gets tested.  I also want it infrequent enough to never be without an anchor.

    > Trust anchor lifetime can be decoupled from rollover frequency.

    > If keys are generated a few years in advance of going into active use,
    > there is plenty of time for them to be disseminated beforehand. They do
    > not have to be pre-published in the zone (although that is what RFC 5011
    > was designed for); they can be distributed out of band by software updates
    > or other means.  If there are annual rollovers with keys generated N years
    > in advance, at any time there will be N pre-published keys one of which
    > might be pre-published in the zone, one active KSK in production, and
    > maybe one in retirement.

Yes, I'd like to do that.
I'd like N=10, and the roll-over frequency to be yearly.

Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190314/12ee3a12/signature.asc>

More information about the ksk-rollover mailing list