Re: [DNSOP] KSK rollover choices

2018-11-03 Thread Wes Hardaker
Joe Abley writes: > I think the wider problem space might be better described as trust > anchor publication and retrieval. Couldn't have said it better myself (more specifically, I didn't). The problem space is much bigger than 5011, and 5011 is but one tool to solve a piece of the whole

Re: [DNSOP] KSK rollover choices

2018-11-01 Thread Joe Abley
On 1 Nov 2018, at 15:14, Wes Hardaker wrote: > Russ Housley writes: > >> It is a good time to do rfc5011-bis. Real world experience from the >> KSK roll makes a lot os sense to me. > > I think step one would be to list the aspects of it that worked well, > and the aspects that didn't. From

Re: [DNSOP] KSK rollover choices

2018-11-01 Thread Wes Hardaker
Russ Housley writes: > It is a good time to do rfc5011-bis. Real world experience from the > KSK roll makes a lot os sense to me. I think step one would be to list the aspects of it that worked well, and the aspects that didn't. From that we can determine the need for a replacement and what

Re: [DNSOP] KSK rollover choices

2018-11-01 Thread Russ Housley
> On Oct 30, 2018, at 8:27 PM, Mark Andrews wrote: > >> On 31 Oct 2018, at 11:16 am, Jim Reid wrote: >> >> On 30 Oct 2018, at 22:31, Mark Andrews wrote: >>> >>> Ultra frequent key rolls are not necessary. It takes years the latest >>> releases of name servers to make it into shipping

Re: [DNSOP] KSK rollover choices

2018-10-31 Thread Michael StJohns
On 10/31/2018 2:54 PM, Paul Vixie wrote: Jim Reid wrote: On 31 Oct 2018, at 00:27, Mark Andrews  wrote: Bootstrap is still a issue.  Over fast TA rolling makes it more of a issue. Indeed. And that's the underlying problem that needs to be fixed IMO - for instance when/if there's an

Re: [DNSOP] KSK rollover choices

2018-10-31 Thread Joe Abley
Hi Paul, On 31 Oct 2018, at 14:54, Paul Vixie wrote: > Jim Reid wrote: > >>> On 31 Oct 2018, at 00:27, Mark Andrews wrote: >>> >>> Bootstrap is still a issue. Over fast TA rolling makes it more of >>> a issue. >> >> Indeed. And that's the underlying problem that needs to be fixed IMO >> -

Re: [DNSOP] KSK rollover choices

2018-10-31 Thread Paul Vixie
Jim Reid wrote: On 31 Oct 2018, at 00:27, Mark Andrews wrote: Bootstrap is still a issue. Over fast TA rolling makes it more of a issue. Indeed. And that's the underlying problem that needs to be fixed IMO - for instance when/if there's an emergency rollover. bootstrappers should

Re: [DNSOP] KSK rollover choices

2018-10-31 Thread Jim Reid
> On 31 Oct 2018, at 00:27, Mark Andrews wrote: > > Bootstrap is still a issue. Over fast TA rolling makes it more of a issue. Indeed. And that's the underlying problem that needs to be fixed IMO - for instance when/if there's an emergency rollover.

[DNSOP] KSK rollover choices

2018-10-30 Thread Paul Hoffman
Just a brief note that the threads about KSK futures started on the ksk-rollo...@icann.org mailing list and should probably still be there. The only bit that was meant to be on this Working Group mailing list was an announcement of the side-meetings next week.

Re: [DNSOP] KSK rollover choices

2018-10-30 Thread Mark Andrews
> On 31 Oct 2018, at 11:16 am, Jim Reid wrote: > > On 30 Oct 2018, at 22:31, Mark Andrews wrote: >> >> Ultra frequent key rolls are not necessary. It takes years the latest >> releases of name servers to make it into shipping OS’s. > > So what? Key rollover policies cannot and should not

[DNSOP] KSK rollover choices

2018-10-30 Thread Jim Reid
On 30 Oct 2018, at 22:31, Mark Andrews wrote: > > Ultra frequent key rolls are not necessary. It takes years the latest > releases of name servers to make it into shipping OS’s. So what? Key rollover policies cannot and should not be driven by vendor OS release schedules. Or the