Root signing comments

[David Burns <davburns@xxxxxxxxxxx>]

Hello,

I don't have technical or chronological comments on this, but I think I 
have some operational (running unsigned authoritative and validating 
recursive DNS servers for a few thousand users) insight that might be 
useful.  The short version of this is, "Don't screw up."
Key rollover might not be 'hard' in the computer science sense, but 
several zone operators Who Ought To Know Better have recently failed at 
this.  (IANA or ARIN broke 0.1.6.2.ip6.arpa a while ago, and comcast 
broke one of their zones recently.)
When a zone authoritatively fails (because KSK rollover didn't work 
right), then validating servers return SVRFAIL, while non-validating 
servers return the correct answer.  To end users, this looks like the 
validating servers are broken, which makes running validating servers 
"painful."
Zone signatures aren't any good if nobody validates.  I know that I'm 
about one more incident away from turning off validation, and I doubt 
that I'm alone in that.  I think that there are a lot of DNS operators 
that haven't turned on validation because they perceive that DNS 
spoofing attacks happen less frequently than signing and rollover 
errors; the cure appears (at least for now?) to be worse than the disease.
So please:

1.  Be very sure that this works right;
2.  Be sure that it keeps working right.
3.  Publish how you did #1 and #2 so that other People Who Ought To Know 
Better (and maybe someday mere mortals like me) can do this right.
Thanks for considering this,

--David Burns