On Oct 30 2018, Matthew Pounsett wrote:
On Mon, 29 Oct 2018 at 12:21, Paul Hoffman <paul.hoffman@icann.org> wrote:
On Oct 29, 2018, at 9:08 AM, Chris Thompson <cet1@cam.ac.uk> wrote:
On Oct 29 2018, Paul Hoffman wrote:
* Y'all did remember that the rollover isn't complete until we revoke KSK-2010 on 11 January 2019, yes?
Or maybe 70 days later (22 March) when the revoked KSK-2010 disappears from the root zone?
Good catch! We know that some software that does DNSSEC validation doesn't implement RFC 5011. The fact that the REVOKE bit is turned on in the record for KSK-2010 in DNSKEY RRset won't mean anything to systems running that software unless they also update their trust anchor files to only include KSK-2017.
Although anything that doesn't implement 5011 should already be experiencing problems since KSK-2010 is no longer being used to sign anything. Any of those systems that are not experiencing problems now must have had their trust anchor manually updated, and revocation or removal of KSK-2010 should be irrelevant to them. I would expect the only problems to be exposed by revocation or removal of KSK-2010 to be bugs in 5011 implementations.
This surely isn't right? Validators using statically configured trust anchors (e.g. using "trusted-keys" rather than "managed-keys" in BIND) and having both KSK-2010 and KSK-2017 configured as trust anchors will go on working just fine. If this wasn't the case, they would not have been able to add a trust anchor for KSK-2017 in advance of the rollover. At some point we will want to see some statistics about RFC 8145 signals that indicate trusting only KSK-2017. Maybe there is even some such data available already, even if it isn't shown in the graphs at http://root-trust-anchor-reports.research.icann.org/ ? (It is interesting, though, that those graphs show only a rather modest decrease in the KSK-2010-only signals during October.) -- Chris Thompson Email: cet1@cam.ac.uk