[ksk-rollover] followup of DNSSEC Workshop at ICANN64
Michael Richardson
mcr+ietf at sandelman.ca
Thu Mar 14 16:38:45 UTC 2019
Tony Finch <dot at dotat.at> wrote:
>> I also want regular rollover, and I'd like it to be frequent enough that it
>> gets tested. I also want it infrequent enough to never be without an anchor.
> Trust anchor lifetime can be decoupled from rollover frequency.
> If keys are generated a few years in advance of going into active use,
> there is plenty of time for them to be disseminated beforehand. They do
> not have to be pre-published in the zone (although that is what RFC 5011
> was designed for); they can be distributed out of band by software updates
> or other means. If there are annual rollovers with keys generated N years
> in advance, at any time there will be N pre-published keys one of which
> might be pre-published in the zone, one active KSK in production, and
> maybe one in retirement.
Yes, I'd like to do that.
I'd like N=10, and the roll-over frequency to be yearly.
--
Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190314/12ee3a12/signature.asc>
More information about the ksk-rollover
mailing list