On Mon, Mar 20, 2017 at 6:54 PM, Ted Lemon <mel...@fugue.com> wrote: > On Mar 20, 2017, at 9:50 PM, Brian Dickson <brian.peter.dick...@gmail.com> > wrote: > > This would require an update every time the KSK is rolled, or whenever the > RRSIG needs to be refreshed. 68 years is an inconvenient interval, so maybe > 50 or 20 years? This is still a lot better than 1 week or 1 month. > > > Isn't there some inconvenient process involved in using the KSK? I > suspect that in practice, this makes it harder, not easier. >
Yes, very much so, although I'm answering from second- or third-hand knowledge. As I understand it, the whole process of using the KSK is a scripted, recorded ceremony in a carefully controlled super-restricted environment, so this would need to be added to that script. On the plus side, if it only needs to be done on the very rare occasion (every N years or when the KSK rolls), I think the benefit would outweigh the initial barrier to change. But, that is probably for the folks with direct knowledge to comment on. I'm just putting the suggestion forward. Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
