[ksk-rollover] followup of DNSSEC Workshop at ICANN64

Dave Lawrence tale at dd.org
Sat Mar 16 22:16:57 UTC 2019

Michael Richardson writes:
> It seems that these issues exist if there are *any* keys generated
> before use, independantly of the number of keys.

Yes, exactly, which makes me scratch my head every time someone
proposes a list of pre-generated keys as the solution to this

It seems to me that what such a list gets you is lead time on cracking
future keys, or more things that end up useless in the event some
aspect of the whole process is found to have been faulty.  This in
exchange for the busywork of changing the current key more frequently
without adding any real additional security in the process.

More information about the ksk-rollover mailing list