[ksk-rollover] Retention of the 2010 KSK

[Paul Hoffman]

On Mar 28, 2019, at 2:45 PM, Geoff Huston <gih at apnic.net> wrote:
> 
> 
> 
>> On 28 Mar 2019, at 12:08 pm, Kim Davies <kim.davies at iana.org> wrote:
>> 
>> Just confirming my mic comments:
>> 
>> Our current schedule has us remove the 2010 KSK from our HSMs in one of our two key management facilities in May, and from the HSMs in the other key management facility in August. While perhaps not a complete specification, we’d need a strong indicator we need to retain the KSK longer ideally by May, and certainly no later than August, in order to defer the deletion and retain the capability to use it (i.e. to create a signature via a new mechanism that would endorse the subsequent KSK).
> 
> Hi Kim,
> 
> I am happy to provide my strong indicator to retain the KSK until further notice. We have not given up yet on the dream of dusting off some dormant resolver that has a trusted key state of KSK 2010 and using some signed chain mechanism that would automate the installation of trust in the current key. If the old key is destroyed then the dream gets destroyed too.

How would this work? Such a dusty resolver doesn't yet have the "some signed chain mechanism" installed on it because it doesn't yet exist. If the resolver can have that mechanism installed when it starts up, it can have the current trust anchors installed too.

I can see that maybe IANA should not delete keys once such a mechanism is defined and deployed, but not until then. Am I missing something here?

--Paul Hoffman