[ksk-rollover] suggestions for deciding on key roll timing

Geoff Huston gih at apnic.net
Thu Mar 28 10:18:25 UTC 2019

> On 28 Mar 2019, at 9:42 am, Wes Hardaker <wjhns1 at hardakers.net> wrote:
> I just mentioned this at a mic, and I'm re-broadcasting it here:

ditto - here’s what I croaked at the mic.

Learned Lessons:
* We rolled the KSK
* The roll was not without impact  (e.g. at least a few hundred million users were affected when their ISP's resolver turned off DNSSEC validation at critical times in the roll process)
* This was not a rehearsal for a catastrophic and unexpected compromise of the KSK. It was a limited exercise in demonstrating that, albeit with some collateral damage, the KSK is malleable under certain conditions
* We have some issues with large UDP responses in the DNS.
* The DNS is determinedly opaque
* Legacy is an issue
* Trust Key management procedures operate in highly constrained scenarios
* Tolerance for risk is highly variable - there is no point that all parties can clearly tolerate
* The DNS continues to be surprising

More information about the ksk-rollover mailing list