[ksk-rollover] Proposal for Future Root Zone KSK Rollovers

Kim Davies kim.davies at iana.org
Wed Nov 6 13:33:02 UTC 2019


Colleagues,

We would like to share that our Proposal for Future Root Zone KSK Rollovers has been published for public comment and is available for review on the ICANN website:

https://www.icann.org/public-comments/proposal-future-rz-ksk-rollovers-2019-11-01-en

We have reviewed the feedback received from the community, and tailored a plan based upon community feedback, operational complexity, and lessons learned in the first KSK rollover projects which concluded recently.

From a high level perspective, the plan includes a three-year rollover interval, with a period of about two years in a standby state before the rollover and active phase of the KSK.

The proposal outlines the future KSK lifecycle which will directly affect activities in future KSK ceremonies, and the frequency in which different HSM smartcards are required.  Please take this into consideration along with the HSM lifecycle in conjunction with the proposal for credential re-issuance.

The three-year rollover strikes a responsible balance ensuring that procedures and software remain sufficiently agile to adopt new keys as they are commissioned, while not introducing too much operational complexity through overly-frequent changes to the KSK.  The standby period will allow a longer pre-publication and consequently allow for the new KSK’s earlier use if there is a need to perform an emergency rollover.

The public comment period is slated to close at the end of January. We encourage you to submit your feedback so we may integrate it into the final approach.

For those at the ICANN 66 meeting in Montreal this week, we will be presenting the proposal to the DNSSEC session being held later today.


Kim Davies
VP, IANA Services, ICANN
President, Public Technical Identifiers (PTI)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20191106/afbf29ef/attachment.html>


More information about the ksk-rollover mailing list