[dnssec-deployment] .br KSK rollover
Frederico A C Neves
fneves at registro.br
Thu Jun 26 11:31:30 EDT 2008
On Thu, Jun 26, 2008 at 09:01:48AM +0200, Mats.Dufberg at teliasonera.com wrote:
> Do you have any plans for supporting RFC 5011 in upcoming KSK rollovers?
Yes, our current idea is to change the rollover policy using the first
month for the addition of a new key but already doing the double
signing and the last one to do the revocation of the old key. This is
a compromise in supporting already deployed software that rely on
manual configuration and is anchored using a DS that will not match
the revoked key and our current policy that only have a single key
published during normal operation time.
We expect to introduce a new standby key during our next validity
> As an operator of DNSsec enabled resolvers I see that as the key to
> wide-spread inclusion of a trust anchor.
You are absolutely right 5011 is the way to go. Hopefully at the time
root is signed the likelihood of needing to track others TA will reduce
and the already gained experience and widespread support of 5011 will
make registries and resolvers operators life's much easier.
> Do you have your policy document in English?
Sorry about that the message was a translation from another one used
in a local announce and the link wasn't changed.
More information about the Dnssec-deployment