[ksk-rollover] Architectural reconsideration on ICANN's Root Zone KSK rollover

[Davey Song(宋林健)]

Hi S Moonesamy,

Thanks for your review and comments. 

> There is the following in the proposal: "It require new DNS extension
> and functions in both authoritative and recursive side servers".  How
>  long would it take to deploy the new DNS extension?

Yes. It is an issue I raised in the conclusion part. It may take a long time for obsolete resolvers, but it can be very quick for resolvers willing to cooperate.

The proposal is obvious different from ICANN's plan. I'm not in favor of a hurry rollover once for all resolvers. I proposed an phased plan to different resolvers. My argument is that there is two risks: one is old key risk (compromised key) which IMHO is less than the second risk of key rollover for unready resolver. The former one is theoretical and imaginary "enemy". But the latter one is real suffering and the risk is inestimable because we do not know the proportion of unready resolver and their users. 

So compared the two risks, I propose to roll the key for ready resolver and keep the unready resolver the same. Unfortunately, ICANN and most of people here seems to be in a hurry to roll the key for all resolvers. Sorry my proposal is not for their taste. So I will keep my opinion on this.

Best regards,
Davey