Hi folks,

Last week I posted this proposal on this mailing list, but there is no reply online but several comments off line

which are very helpful and help make this proposal more practical.

l  One important concern is that it may take too long to roll the key, waiting for standardization, implementation

and large deployment by the « good » guys. And  no incentive for  « good » do all the work for <<lazy>> guys.

So I'm inspired that it is not necessary for additional set of root server and coordination between server and resolver

for this purpose. All the work can be done in server side.

It can be implemented on server side with "two logic views"(similar but different from BIND multiple view mechanism.
When authoritative server recognize the resolvers who support RFC5011 (via rfc8145 or combined with kskroll-sentinel),
it can roll the key only for them. Roll KSK not once for all but per-resolver. In that case there is no need any modification on

resolver. Root server operator should do this work only.  So there is no interoperability problem. No specification of DNS is

needed which shorten the time and concerns.

l  Another concerns is the implication or panics of alternative root by saying paralleled root sever.

Although the proposal has nothing to do with alternative root, it can change the saying as a “upgrade path” instead.

I will change the proposal according to the comments. And still welcome other comments.

Best regards,

Davey