On 21/09/2018 16:12, Marc Blanchet wrote:
right but: - people are lazy: until there are real events (KSK rollover), they will not care or prepare. Therefore, we must have rollover enough frequent so people do act. - there are mechanisms to help/automate rollover, such as RFC5011, which shall fit with most use cases. - for the use cases/reasons people not use RFC5011, then it is like any manual configuration management: you take the responsability to put whatever process in your org to handle that case, since you are aware that you are taking the manual route.
What about the (hypothetical?) home CPE with a validating resolver that's been left on the shelf for a couple of years. RFC 5011 doesn't help those. AFAIK, re-bootstrapping trust for those is still an unsolved problem. Ray