Hi Joe, It is not clear if the validUntil time is referring to the time when the key is expected to be rolled into RFC 5011 revoked state or when it is expected to be removed from the zone.
What will happen with the keytag field in the published data for an historical key that has been revoked? Will it still have the original keyid or keyid+128? Does it make sense to add an additional timer in the published data so that the revoked state can be described better? If RFC5011 rolls are being used, I think the RFC must be referenced. /S ---------------------------------------------------------------------- Stephan Lagerholm > -----Original Message----- > From: dnsop-boun...@ietf.org [mailto:dnsop-boun...@ietf.org] On Behalf Of > Joe Abley > Sent: Thursday, September 30, 2010 4:47 AM > To: George Barwood > Cc: IETF DNSOP WG > Subject: Re: [DNSOP] Fwd: I-D Action:draft-jabley-dnssec-trust-anchor- > 00.txt > > Hi George, > > On 2010-09-30, at 06:45, George Barwood wrote: > > > Not directly related to this draft ( it's probably out of scope ), but > is there any guidance on the timing of rollover of the Trust Anchor for > the Root Zone? > > We have issued no guidance for this to date beyond > > (a) in an emergency, a root zone KSK roll-over may happen uncomfortably > quickly, depending on the type of emergency; > > (b) we don't anticipate a scheduled key roll-over to earlier than 3 years > (our messaging as mentioned "3 to 5 years"); > > (c) the roll-over will follow RFC5011. > > Part of the reason (b) is vague is due to (c) -- we don't know how > pervasive RFC5011 support is, and we expect RFC5011 support to be > important for a large proportion of DNSSEC users. We know that the > practical lifetime of software in the field an be long, and so presumably > even if RFC5011 was universally shipping in validators today there would > still be a necessary delay before we could expect it to be usefully > available. > > I would certainly expect any scheduled roll-over to be announced (and the > trust anchor published) well in advance of the retirement of the old KSK. > > We would be happy to hear thoughts from the community on what process and > timing makes sense. If the dnsop chairs are happy for that conversation to > happen here, we are listening. > > > Joe > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
