[ksk-rollover] (Un)planning future KSK replacements
Phil Regnauld
regnauld at nsrc.org
Fri Mar 29 09:11:25 UTC 2019
Salz, Rich via ksk-rollover (ksk-rollover) writes:
> * I mostly agree with this, and would totally agree if we were completely 5011 based, but that's not the case. I think there needs to be an "interested parties" announcement even if this isn't announced widely. E.g. ISPs that do manual configuration on roll-their-own DNS resolvers etc.
>
> If you pre-announce to interested parties, then you are not helping those parties learn how to handle unannounced emergencies.
+1.
The one thing that worries me most here is that if we don't make
KSK rollovers part of something your software and/or distro deals
with automatically, each pre-announced roll will result in huge
amounts of of time and resources wasted on long threads on various
mailing lists, with the risk of bringing the n+1 roll to a grinding
halt if the least doubt arises. We are nearly 9 *years* into the
signed root. Mission accomplished ?
As Pieter wrote:
> There are non-5011 ways to get the anchors (e.g. time fetches of the
> XML). But a list for announcements to interested parties, without the
> publication fanfare makes sense to not spring this on people.
... so yeah, work with the vendors/distros, make this as automatic
and normal as possible, so we can use our time on other issues that
haven't been solved yet ;)
Cheers,
Phil
More information about the ksk-rollover
mailing list