[ksk-rollover] will there be another keyrollover?
Michael Richardson
mcr+ietf at sandelman.ca
Fri Sep 2 03:44:47 UTC 2022
Paul Wouters <paul at nohats.ca> wrote:
>> I mean, if the signed zone is loaded from disk, and rarely actually
>> transfered over the network, then maybe having huge-sized signatures
>> (which some NIST candidates feature) isn't so much a problem.
> You are talking post quantum algorithms ? The ones that aren’t chosen
> yet by NIST, aren’t specified in RFCs and aren’t implemented in any
> software and aren’t deployed anywhere in resolvers ?
Yes... has anyone done an *experiment* here?
I am not suggesting we do it tomorrow, but rather that we know what might be
involved. As I said: what if the root zone, being signed, no longer needed
to do queries, because every recursive had a copy.
> I think maybe the root should first roll to like algo 13 or something
> similar where there is operational experience.
That's also worth considering, and I said last time that doing it more often
means more operational practice.
--
Michael Richardson <mcr+IETF at sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 515 bytes
Desc: not available
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20220901/3bb49060/signature.asc>
More information about the ksk-rollover
mailing list