The timing of publication of signatures by new KSK
Dear Icann and Verisign, It is real important for Resolver operators to know when this happens as the publication time starts the clock on when validation failures begin. About 48 after last root server starts advertising the new DNSKEY closes the window of when last resolvers will start returning errors. Thus I request that ICANN + Verisign commit to publish the DNSKEY set signed by the new KSK on October 11'th at 12:00 UTC as that is the only time it is October 11'th everywhere in the world. This way we can know that all errors will be visible before 13:00 UTC on Oct 13'th, as over 99% of root servers load up new zone in less than an hour (I hope) Olafur
On 8 Jun 2017, at 14:55, Ólafur Guðmundsson via ksk-rollover <ksk-rollover@icann.org> wrote:
Thus I request that ICANN + Verisign commit to publish the DNSKEY set signed by the new KSK on October 11'th at 12:00 UTC as that is the only time it is October 11'th everywhere in the world.
For what it's worth, there is no point in time you could choose that has the same date everywhere. Without daylight savings in those places that use it in the southern hermisphere, the range of UTC offsets exceed 24 hours (UTC-12 to UTC+14). 2017-10-11 1200 UTC is: 2017-10-12 0100 in Kiribati (Phoenix Islands) and Tokelau 2017-10-12 0100 in Fiji and New Zealand (with daylight savings) 2017-10-12 0145 in the Chatham Islands 2017-10-12 0200 in Samoa and Tonga (with daylight savings) 2017-10-12 0200 in Kiribati (Line Islands) That's not an exhaustive list, but you get the idea. I didn't check all the transition times for daylight savings, but New Zealand which is likely where you'd expect to see the most impact changes over in September, I think. Joe
participants (2)
-
Joe Abley -
Ólafur Guðmundsson