FWIW - NTIA considers them separate documents and do not see a contradiction. The baseline requirements are exactly that (baseline requirements) and the DPS was one mechanism by which the RZM partners worked to fulfill / and flesh out the requirements. My recollection is that, at the outset, we all agreed that there would be "scheduled" rollovers. The issue was that we (NTIA-NIST) didn't want to bind the partners with a pre-cooked schedule or notion of what the schedule should be as this was kind of unchartered waters at the time, but recognized the need for rollovers and that the issue of what "schedule" they would be on needed to be thoroughly discussed, considered, and potentially reconsidered. -----Original Message----- From: Richard Lamb [mailto:richard.lamb@icann.org] Sent: Monday, February 23, 2015 11:41 AM To: Paul Hoffman; Ashley Heineman Cc: ksk-rollover@icann.org Subject: RE: [ksk-change] Helping the panel name the reasons for the KSK rollover Both ZSK and KSK DPSs were written and cleared by all the root zone management partners design team (VRSN, ICANN, NTIA) so I believe DPSs and requirements documents are consistent with each other. That was my understanding...we would roll but when was up for discussion. Do you see a contradiction? Happy to hear what others think. I am not the best at details like Jakob+Fredrik were. -Rick -----Original Message----- From: ksk-rollover-bounces@icann.org [mailto:ksk-rollover-bounces@icann.org] On Behalf Of Paul Hoffman Sent: Monday, February 23, 2015 5:30 PM To: Ashley Heineman Cc: ksk-rollover@icann.org Subject: Re: [ksk-change] Helping the panel name the reasons for the KSK rollover On Feb 23, 2015, at 8:11 AM, Ashley Heineman <AHeineman@ntia.doc.gov> wrote:
Just want to point out that "scheduled rollover of the KSK" was an
original basic requirement when DNSSEC was implemented at the root. Specifically (as referenced in the baseline requirements, with the footnote 12, http://www.ntia.doc.gov/files/ntia/publications/dnssec_requirements_102909.p df):
"c) Root Zone KSK Rollover
i) Scheduled rollover of the RZ KSK shall be performed.12
12 The Department envisions the timeline for scheduled rollover of the RZ KSK to be jointly developed and proposed by ICANN and VeriSign, based on consultation and input from the affected parties (e.g. root server operators, large-scale resolver operators, etc). Note that
subsequent test plans may specify more or less frequent RZ KSK rollover to ensure adequate testing."
Is that subsumed by "DPS statement -- Section 6.5 of the DPS for the root zone says that the KSK will be rolled over after five years of operation, and that time has already passed.", or do you consider the contents of that footnote a separate issue? --Paul Hoffman _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover