[ksk-rollover] Retention of the 2010 KSK

Wes Hardaker wjhns1 at hardakers.net
Fri Mar 29 08:47:31 UTC 2019

Geoff Huston <gih at apnic.net> writes:

> I have no idea Paul - but I do know that once the key is destroyed the
> entire conversation is kinda pointless, and I thought it was a little
> bit preemptory to slam the door shut on such musings..

I came to the same conclusion after hearing the discussion: there is no
software or device today that can make use of a yet-undefined chain, and
thus the need to anchor it to the single starting point in history is
potentially not helpful.  It may "look cleaner", but I can't think of a
technical reason why it's necessary.  Assuming a new protocol for doing
history chaining of some kind, all on-the-shelf devices that suddenly
have it implemented should simultaneously be chaining it back to only
the current KSK, which is KSK-2017 not KSK-2010 (and should stop going
backward once it hits the current trust anchor).

Wes Hardaker

More information about the ksk-rollover mailing list