On Thu, Jan 04, 2018 at 10:01:04PM +0000, David Conrad <david.conrad@icann.org> wrote a message of 222 lines which said:
Just to level set and argue the extreme, if we had data that suggested that 100% of validating resolvers would fail, would you personally pull the trigger that causes the KSK rollover?
If there were this data, no, because it would mean there is a general problem, may be a broken protocol that the IETF would need to fix. But we are not at 100 %, we now that key rollover can work, just not for everyone. 100 % failure is an easy case to handle: it means there is clearly a problem, and which does not reside in the ordinary sysadmin. But we are not in the easy case.
This (presumably) assumes humans will fix the problems in a positive way. I’ll admit I suspect the more likely way of fixing DNSSEC rollover-caused validation failures will be to simply disable DNSSEC validation
Yes, this is a serious risk. On the other hand, people who still use the old key, and did not do anything to fix the problem, will have big trouble with DNSSEC sooner or later. So, it may be a not-so-bad thing if they disable it.
I am personally unaware that of any noticeable change in the trust associated with DNSSEC as a result of the (lack of) KSK rollover.
Several people told me "so, you are still unable to replace the [profanity deleted] key?", laughing hard. Yes, this is anecdotal evidence, I don't have a better one to offer.