[ksk-rollover] followup of DNSSEC Workshop at ICANN64
Dave Lawrence
tale at dd.org
Sun Mar 17 02:53:11 UTC 2019
S Moonesamy writes:
> The first "trust anchor" was in use for around 10 years. Although it
> has not caused any security issue, it is better to have "key
> rotation".
Right, I completely agree that we should have regular key rotation and
have previously offered my opinion that I'd like to see it once per
year. I think that achieving it by rolling to a published list of
pre-generated keys is a poor way of doing it.
More information about the ksk-rollover
mailing list