+1 Yep.. -----Original Message----- From: ksk-rollover-bounces@icann.org [mailto:ksk-rollover-bounces@icann.org] On Behalf Of Wessels, Duane Sent: Tuesday, October 07, 2014 2:00 PM To: Paul Hoffman Cc: ksk-rollover@icann.org Subject: Re: [ksk-change] Which style of rollover were people thinking of? On Oct 7, 2014, at 1:41 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

Greetings again. Assuming that we are still thinking of doing a KSK rollover, what style of rollover were people thinking of? draft-ietf-dnsop-dnssec-key-timing-05 describes described three. Of course, there is no DS record here, but the DS's moral equivalent is the manually trusted key(s) in the validating resolvers.

Paul, If my reading of the draft is correct, the Double-KSK method most accurately describes what the root zone management partners had been talking about during our 2013 discussions. DW _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover

On Oct 7, 2014, at 1:59 PM, Wessels, Duane <dwessels@verisign.com> wrote:

If my reading of the draft is correct, the Double-KSK method most accurately describes what the root zone management partners had been talking about during our 2013 discussions.

Are there minutes/notes from those discussions? And: yay for that choice. The draft lists the tradeoff as: In essence, Double-KSK means that the new KSK is introduced first and used to sign the DNSKEY RRset. The DS record is changed, and finally the old KSK removed. It limits interactions with the parent to a minimum but, for the duration of the rollover, the size of the DNSKEY RRset is increased. ...which seems right when the "parent" is "many resolvers using different methods of pulling the root key". --Paul Hoffman