[Yeti DNS Discuss] KROLL experiment proposal

Shane Kerr shane at biigroup.cn
Mon Jul 4 21:34:41 UTC 2016


Fellow Yeti participants,

We are overdue for our next experiment!

We can actually start the next one at the end of this week (2016-07-08)
if people think that it makes sense. Please let us know.


Since ICANN is moving forward with plans to roll the IANA root KSK, I
propose that we roll the Yeti root KSK. I actually propose two
experiments:

1. A "normal" KSK roll, and
2. A KSK roll styled after the ICANN proposal

The idea is to use the simplest approach possible, and insure that this
works. If it does, then we can try the ICANN proposal and insure that
it works too. (The main difference being that ICANN adds the old KSK
back later with the revoked bit set.)

Here is the proposal for a "normal" KSK roll:

https://github.com/shane-kerr/Yeti-Project/blob/experiment-kroll/doc/Experiment-KROLL.md

One question is that we require 30 days for the RFC 5011 hold-down
timer, but I don't think we need to keep the revoked KSK for 30 days.
Perhaps we should accelerate that part of the experiment? (Honestly 2
days should be plenty, since resolvers usually limit TTL to 1 day. But
maybe 7 days is a better idea in case someone is having connectivity
problems.)

Cheers,

--
Shane



More information about the discuss mailing list