On 2/8/18, 01:02, "DNSOP on behalf of Paul Wouters" wrote:
>We have a giant hole in our understanding of why there are update nameservers 
>running the latest software with the older keys.

If just to spread rumors, I heard the following as early as November, 2016.  
One of the issues is that operators update code without updating configuration 
files.  I.e., a BIND upgraded today might be using a configuration file from 
the pre-managed-key days.

I am not saying this theory has been put to the test, but it is compelling.  
This hypothesis is in the ICANN deck on the KSK rollover used throughout 2017 
(until the postponement).

DNSOP mailing list

Reply via email to