[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)
Matt Larson
mlarson at verisign.com
Tue Feb 7 12:56:16 EST 2012
On Mon, 06 Feb 2012, Joe Abley wrote:
>
> On 2012-02-06, at 21:29, paul vixie wrote:
>
> > Joe, was this objection raised during the public review of the current
> > DPS, and if so, with what response?
>
> Many people asked about the KSK rollover schedule during the Great Root DNSSEC Roadshow of 2009/2010.
>
> In each case, we told them the current plan: we expect to roll the key, it will be done with 5011 semantics, but since we are concerned that 5011 deployment is scarce there will be no scheduled key rollovers for at least five years.
>
> In every case where I was present that was received as an adequate answer. Which is not to say there were not people who were strong proponents of rolling the key early and often in order to exercise the machinery, but there were no objections voiced to me about the actual plan as described above, and no counter-proposals received.
+1 to all that. The Great Root DNSSEC Road Show undertaken by the
design team (ICANN, Verisign, Kirei) went a lot of places: please see
http://www.root-dnssec.org/presentations/.
Matt
More information about the Dnssec-deployment
mailing list