[ksk-rollover] When is the KSK rollover complete?
Paul Hoffman
paul.hoffman at icann.org
Mon Oct 29 16:21:49 UTC 2018
On Oct 29, 2018, at 9:08 AM, Chris Thompson <cet1 at cam.ac.uk> wrote:
>
> On Oct 29 2018, Paul Hoffman wrote:
>
>> * Y'all did remember that the rollover isn't complete until we revoke
>> KSK-2010 on 11 January 2019, yes?
>
> Or maybe 70 days later (22 March) when the revoked KSK-2010 disappears
> from the root zone?
Good catch! We know that some software that does DNSSEC validation doesn't implement RFC 5011. The fact that the REVOKE bit is turned on in the record for KSK-2010 in DNSKEY RRset won't mean anything to systems running that software unless they also update their trust anchor files to only include KSK-2017.
--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3915 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20181029/46863609/smime.p7s>
More information about the ksk-rollover
mailing list