[ksk-rollover] Revoking KSK-2010 imminent
Geoff Huston
gih at apnic.net
Sun Jan 6 22:49:50 UTC 2019
As far as I understand the situation there is one small risk factor - the revoked key will inflate the size of the response to a root zone DNSKEY query to 1449 octets (as I recall). The combination of the possibility of fragmentation and some root servers performing response truncation implies a small risk of some DNSSEC-validating resolvers being unable to retrieve the root zone DNSKEY RR and going ‘dark’.
However, this seems like a pretty small risk - other zones, such as .org, use a far larger response, and if a validating resolver is going to get caught out on being unable to receive large responses then it already has problems with .org names!
Geoff
More information about the ksk-rollover
mailing list