[ksk-rollover] followup of DNSSEC Workshop at ICANN64

Jacques Latour Jacques.Latour at cira.ca
Thu Mar 21 13:42:29 UTC 2019

As I also stated in the DNSSEC workshop, I support a regular root KSK rollover, annually but not longer than two years, we need to develop muscle memory to rollover the key.  Also, if the removal of the old key tomorrow is non eventful then I think it would be worthwhile to roll the key in 6 months while our memory is still fresh, this may force the one who manually update to use automated mechanisms.

As for the unexpected increased DNSKEY query results, as I said, it looks very interesting but if there were real users or applications problems behind it then they would be been fix by now, and in my view the increase is probably not end-user / application impacting.  Just plain old hardcoding ;-)


>-----Original Message-----
>From: ksk-rollover <ksk-rollover-bounces at icann.org> On Behalf Of Yoshiro
>Sent: March 13, 2019 5:33 PM
>To: ksk-rollover at icann.org
>Subject: [ksk-rollover] followup of DNSSEC Workshop at ICANN64
>Hi all,
>During DNSSEC Workshop at ICANN64, there were discussion regarding future
>KSK rollover.
>This is followup what I said.
>I support regular Root Zone KSK Rollover for operational maturity and DNS
>software matulity.
>The importance is doing regulary.  Frequency may be once per 2-3 years, less
>than 5 years.
>Yoshiro YONEYA
>ksk-rollover mailing list
>ksk-rollover at icann.org

More information about the ksk-rollover mailing list