In the last paragraph of 3.1.1, remove the last sentence ("Although,
given a long enough key..."). Replace it with the following
paragraphs:
There are two schools of thought on rolling a KSK that is not a
trust anchor:
- It should be done regularly (possibly every few months) so that
a key rollover remains an operational routine.
- It should only be done when it is known or strongly suspected
that the key has been compromised in order to reduce the
stability issues on systems where the rollover does not happen
cleanly.
There is no widespread agreement on which of these two schools of
thought is better for different deployments of DNSSEC. There is a
stability cost every time a non-anchor KSK is rolled over, but it
is possibly low if the communication between the child and the
parent is good. On the other hand, the only completely effective
way to tell if the communication is good is to test it
periodically. Thus, rolling a KSK with a parent is only done for
two reasons: to test and verify the rolling system to prepare for
an emergency, and in the case of an actual emergency.
Because of the difficulty of getting all users of a trust anchor to
replace an old trust anchor with a new one, a KSK that is a trust
anchor should never be rolled unless it is known or strongly
suspected that the key has been compromised.
Remove the first paragraph of 3.3; it is now covered in 3.1.1 (and it
was wrong about the cryptography).
Change the second paragraph of 3.3 to:
From a purely operational perspective, a reasonable key effectivity
period for KSKs that have a parent zone is 13 months, with the
intent to replace them after 12 months. An intended key
effectivity period of a month is reasonable for Zone Signing Keys.
This annual rollover gives operational practice to rollovers.
Ignoring the operational perspective, a reasonable effectivity
period for KSKs that have a parent zone is 25 years or longer.
That is, if one does not plan to test the rollover procedure, the
key should be effective essentially forever, and then only rolled
over in case of emergency.
In the first paragraph of 4.2, replace the first two sentences with:
Regardless of whether a zone uses periodic key rollovers in order
to practice for emergencies, or only rolls over keys in an
emergency, key rollovers are a fact of life when using DNSSEC.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
