[Yeti DNS Discuss] KROLL status. Plus a question about double-signing!

Shane Kerr shane at biigroup.cn
Tue Aug 2 05:50:26 UTC 2016


Hello all,

This is a quick update about the status of the KROLL experiment.

--------

As Kees Monshouwer pointed out, anyone configuring a resolver based on
our published KSK would have broken resolution when we started using
the new KSK.

In order to fix this, we include both the old and new KSK in our
published KSK now, and have reset the RFC 5011-mandated 30-day timer.
This means that anyone who configured a resolver using only the old KSK
will still be able to get RFC 5011 updates, and anyone new to the
project will have the new KSK by manual configuration.

--------

The second issue is that Davey Song noticed that I had not included any
time with double-signing of the ZSK by both the old and new KSK. The
actual procedure defined in RFC 6781 section 4.1.2. specifies a
double-signing.

My belief is that this double-signing is useful if you have a parent
updating a DS record, but not for the root. Right now the KROLL
experiment does not include a double-signing phase.

We have two choices (and possibly more):

1. Modify the experiment to include a double-signing phase. This will
   make it more closely match RFC 6781.

2. Leave the experiment as defined, without a double-signing phase.
   This more closely matches the ICANN roll plan, although not
   completely.

Personally I prefer to leave the experiment, although I admit that
mostly this is because I don't want to change things more than
necessary while it is underway. 

Please let us know what you think.

Cheers,

--
Shane




More information about the discuss mailing list