[Comments-ksk-rollover-restart-01feb18] just do it!

[Jim Reid]

ICANN has taken all reasonable and prudent measures to mitigate the potential hazards that might arise from rolling the root key-signing key. It is hard to envisage what more could or should be done.

The plan for continuing the rollover is fine. Unless compelling evidence to support another postponement emerges before a final decision is taken, the proposed rollover plan should be put into effect.

It is highly unlikely that anything significant will break because a small number of validating resolvers seem to have been hard-wired with the current (and soon to be obsoleted) key. In any event, these misconfigured systems cannot be allowed to indefinitely delay the rollover. If they did, a rollover of the root's key-signing key will never happen because there would always be something somewhere which was unable to handle the new key. Or had been intentionally configured to properly handle a ket rollover.

It is also important for Secure DNS (as well as the broader security and stability of the Internet) that rollover of the root key-signing key takes place. This is good cryptographic practice. Rolling the key has to take place from time to time. One day it might be necessary to carry out an emergency rollover -- say because a key or algoritim is considered compromised. It would obviously be better to have had some actual experience from planned rollovers before an emergency, forced rollover is needed regardeless of how unlikely that scenario might be.