[ksk-rollover] (Un)planning future KSK replacements

Evan Hunt each at isc.org
Fri Mar 29 13:20:34 UTC 2019


On Fri, Mar 29, 2019 at 01:44:06PM +0100, Ray Bellis wrote:
> If standby keys become a thing, would it perhaps be useful if keys were 
> pre-published as CDNSKEY / CDS records in the root so that they can be 
> distributed without causing additional computational load on validators 
> or bloating of the DNSKEY RR set?

I like this idea a lot.

CDS seems like it's probably more doable than CDNSKEY. IIRC, the IANA
powers-that-be have been resistant in the past to pre-publishing public
keys but more open to pre-publishing hashes.

So, CDS in a typical zone would be a signal to the parent to update the DS,
and in the root zone it would be a signal to validators to update their
trust anchors.  (5011 holddown timing should probably apply, though...)

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.


More information about the ksk-rollover mailing list