"Each RZ KSK will be scheduled to be rolled over through a key
ceremony as required, or after 5 years of operation."
Yes. But I’m still not seeing where 2020 comes in. All the above is saying is that the 2010 KSK was in a position to be rolled after 2015.
The discussion on this mailing list has been
about trust and uncertainty.
What we’re looking for is some direction from the community on how to determine an "agreed understanding of when the rollover has affected operational stability beyond a reasonable boundary”.
Is the potential
negative impact mentioned above about the "4% of
the approximately 12,000 DNSSEC-validating
resolvers"?
Sorry, where are you getting your numbers?
If so, has there been any discussion about the data?
To be clear, we’re now seeing about 8% of the RFC 8145-reporting resolvers (which is, of course, a subset of all validating resolvers) indicating they’re configured for only KSK-2010. The issue is that we have no good idea of figuring out how many end users that percentage is representing and what the implications of breaking resolution for those end users will be.
Regards,
-drc