On 4/3/2019 4:24 PM, Geoff Huston wrote:
I’m not in favour of retaining KSK-2010 forever - but I think destroying it in the next regularly scheduled key ceremony abruptly curtals the deployment of any possible tools that may allow reactivation of a dormant resolver to boot itself into a trust relationship with the current key based on its obe trust in a prior key
I have yet to hear any credible approach that would allow a dormant resolver - WITHOUT SOFTWARE UPDATES - to boot itself into a trust relationship based on the prior key. Seriously - if you're updating the software.... update the keys. No dormant resolver knows how to get from the 2010 key to the 2017 key without replaying already signed RRSets over a period of 60 some odd days. The software does not support it. And even then, you don't need the 2010 key - you just need the signatures its already produced. Seriously, delete the damn key already. Or come up with a credible approach that doesn't begin with "maybe" or "i think" or "may allow" and that holds together through at least 4 email exchanges. Hoarding is a sickness that we need not inflict on the DNS root of trust. Later, Mike