On 2/8/18, 01:02, "DNSOP on behalf of Paul Wouters" wrote:
>We have a giant hole in our understanding of why there are update nameservers
>running the latest software with the older keys.
If just to spread rumors, I heard the following as early as November, 2016.
One of the issues is that operators update code without updating configuration
files. I.e., a BIND upgraded today might be using a configuration file from
the pre-managed-key days.
I am not saying this theory has been put to the test, but it is compelling.
This hypothesis is in the ICANN deck on the KSK rollover used throughout 2017
(until the postponement).
DNSOP mailing list