[ksk-rollover] What KSK rollover methodology will be used today?
Phil Regnauld
regnauld at nsrc.org
Thu Oct 11 11:19:17 UTC 2018
Matt Larson (matt.larson) writes:
>
>
> > Does anyone know what is the method for changing the KSK rollover today? I have tried to look for it in ICNN documents but I unfortunately I could not find it.
>
> I'm not sure I understand your question about methodology. At 1600 UTC today, 11 October (or shortly thereafter), a root zone will be published with only the "new" KSK (called KSK-2017) signing the root zone's apex DNSKEY RRset. Currently the root zone's apex DNSKEY RRset is signed only with the soon-to-be "old" KSK (called KSK-2010). The publication of this root zone implements the root KSK rollover.
To complement your answer, we can say this is a "pre-publish" type
rollover (as opposed to a double signature one) -- if that was what
Suhayb was referring to.
Cheers,
Phil
More information about the ksk-rollover
mailing list