[dns-operations] Why roll the KSK? (was Sad news today: systemd-resolved to be deployed in Ubuntu 16.10)

Andrew Sullivan ajs at anvilwalrusden.com
Mon Jun 6 10:53:18 UTC 2016


On Mon, Jun 06, 2016 at 06:35:22PM +0800, Shane Kerr wrote:
> 1. only when needed (Florian's position),
> 2. frequently, or
> 3. every now and then (the current IANA KSK DPS) 
 
> The motivation behind #3 is... um. Well, I don't actually know. It
> seems like the worst of all possible worlds. :-P

In my opinion, we got to #3 by starting with #2 and then whittling
"frequently" down, given the issues with RFC 5011, to the point that
#3 seemed the only answer.

It's important to recall that RFC 5011 was chosen from an array of
competing proposals according to a requirements document that DNSEXT
produced something like 10 years ago.  There's something instructive
in that, because the requirements were conceived in an environment
quite different from the one where we are.  Perhaps this suggests
that, in developing standards, requirements documents can do as much
harm as good: it's hard actually to understand requirements of a
system you haven't really built yet.

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com



More information about the dns-operations mailing list