[ksk-rollover] When is the KSK rollover complete?
Matthew Pounsett
matt at conundrum.com
Tue Oct 30 12:38:05 UTC 2018
On Mon, 29 Oct 2018 at 12:21, Paul Hoffman <paul.hoffman at icann.org> wrote:
> On Oct 29, 2018, at 9:08 AM, Chris Thompson <cet1 at cam.ac.uk> wrote:
> >
> > On Oct 29 2018, Paul Hoffman wrote:
> >
> >> * Y'all did remember that the rollover isn't complete until we revoke
> >> KSK-2010 on 11 January 2019, yes?
> >
> > Or maybe 70 days later (22 March) when the revoked KSK-2010 disappears
> > from the root zone?
>
> Good catch! We know that some software that does DNSSEC validation doesn't
> implement RFC 5011. The fact that the REVOKE bit is turned on in the record
> for KSK-2010 in DNSKEY RRset won't mean anything to systems running that
> software unless they also update their trust anchor files to only include
> KSK-2017.
>
Although anything that doesn't implement 5011 should already be
experiencing problems since KSK-2010 is no longer being used to sign
anything. Any of those systems that are not experiencing problems now must
have had their trust anchor manually updated, and revocation or removal of
KSK-2010 should be irrelevant to them. I would expect the only problems to
be exposed by revocation or removal of KSK-2010 to be bugs in 5011
implementations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20181030/9726f335/attachment.html>
More information about the ksk-rollover
mailing list