On Thu, Oct 19, 2023 at 08:40:12PM -0700, Wes Hardaker via gtld-tech wrote:
My argument is that if something’s worth doing, it’s worth doing well.
"Well" is in the eyes of the user that has to depend on the zone being functional. Sometimes operational stability when a roll of any kind is difficult is more important than ensuring the zone is continually dnssec signed. You have to consider many parameters, like the length of time it would be unsigned, the possibility of an attack during that time, and the likelihood of an operational outage due to a failure because of some parameter that will cause difficulty in ensuring a proper roll.
You may recall I even wrote a draft [0] on this subject that actually had a lot more support for it than I was expecting it to get.
[0]: https://datatracker.ietf.org/doc/draft-hardaker-dnsop-intentionally-temporar...
Indeed, a potential outage during a botched rollover needs to be one of the transition plan considerations. But I think there's a case for at least seriously considering, and at the appropriate opportunity, at least once, practicing, a more graceful transition in the case of a TLD, some of whose delegated zones could alternatively be unwitting casualties of DNSSEC being turned off (they may have operational dependencies on DNSSEC being available). The question at hand is whether this was a plausible opportunity. Perhaps not this time, but ideally before an emergency operator change is required for a more critical TLD??? -- Viktor.