[Yeti DNS Discuss] Notes from Yeti 2nd Virtual meeting

David Conrad drc at virtualized.org
Sat Mar 26 03:44:43 UTC 2016

> Shane mentioned the IANA KSK roll status:
> http://yeti-dns.org/resource/2016-03-24/2016-03-24-icann-ksk-roll.pdf <http://yeti-dns.org/resource/2016-03-24/2016-03-24-icann-ksk-roll.pdf>
Um.  From that presentation:

"Root KSK DPS: roll every 5 years – Signed 2010-07-15 (> 5.5 years ago... oops!)"

The actual ICANN KSK DPS policy statement (the first sentence of section 6.5 of https://www.iana.org/dnssec/icann-dps.txt) says:

"Each RZ KSK will be scheduled to be rolled over through a key ceremony as required, or after 5 years of operation."

(emphasis added). It does NOT say "roll every 5 years".

We're in the process of developing the necessary plans and processes to attempt to safely and responsibly roll the KSK _after_ 5 years as the DPS requires.  As every validating resolver on the planet will need to update their trust anchor in response to this roll, you can probably imagine that this is a non-trivial exercise when you're talking about not disrupting the production Internet (or at least 25% or so of that Internet that is currently validating responses) upon which trillions of dollars of GDP depend.

We anticipate providing more details on the plans for the KSK roll in the near future.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20160325/2796a542/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20160325/2796a542/attachment.bin>

More information about the discuss mailing list