[ksk-rollover] Retention of the 2010 KSK

Geoff Huston gih at apnic.net
Thu Mar 28 13:45:53 UTC 2019

> On 28 Mar 2019, at 12:08 pm, Kim Davies <kim.davies at iana.org> wrote:
> Just confirming my mic comments:
> Our current schedule has us remove the 2010 KSK from our HSMs in one of our two key management facilities in May, and from the HSMs in the other key management facility in August. While perhaps not a complete specification, we’d need a strong indicator we need to retain the KSK longer ideally by May, and certainly no later than August, in order to defer the deletion and retain the capability to use it (i.e. to create a signature via a new mechanism that would endorse the subsequent KSK).

Hi Kim,

I am happy to provide my strong indicator to retain the KSK until further notice. We have not given up yet on the dream of dusting off some dormant resolver that has a trusted key state of KSK 2010 and using some signed chain mechanism that would automate the installation of trust in the current key. If the old key is destroyed then the dream gets destroyed too.


More information about the ksk-rollover mailing list