[ksk-rollover] followup of DNSSEC Workshop at ICANN64

Dave Lawrence tale at dd.org
Sun Mar 17 02:53:11 UTC 2019

S Moonesamy writes:
> The first "trust anchor" was in use for around 10 years.  Although it 
> has not caused any security issue, it is better to have "key 
> rotation".

Right, I completely agree that we should have regular key rotation and
have previously offered my opinion that I'd like to see it once per
year.  I think that achieving it by rolling to a published list of
pre-generated keys is a poor way of doing it.

More information about the ksk-rollover mailing list