ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

A proposed schedule for rolling the root key

  • To: comments-root-zone-consultation-08mar13@xxxxxxxxx
  • Subject: A proposed schedule for rolling the root key
  • From: Doug Barton <dougb@xxxxxxxxxxxxx>
  • Date: Sat, 27 Apr 2013 17:22:11 -0700

1. Announce a date around 6 months in advance when the key will be rolled
2. Roll it
3. Wait a minimum of 3 months after the first roll to triage the damage
4. Once the community feels that we have a handle on what went wrong the first time (IOW, some time after the 3 months), announce a second roll in 3-6 months time.
5. Roll it again
6. Wait another 3 months, hopefully there will be less fallout after the second roll
7. Announce a third roll in 3-6 months
8. Assuming the third roll goes well, set a schedule for the next one.
Two years is a nice round number.

Unfortunately, it's inevitable that things will break when the key is
rolled. I don't envy those at ICANN who will be dealing with both the
pre-roll PR, and the fallout. :)

However, it has to be done, and sooner is better than later. The chances that the root key is susceptible to any currently known cryptographic attack are very, very tiny at the moment. However at this stage of the game an emergency key rollover (for whatever reason) would be disastrous, more for PR reasons than technical ones.

hope this helps,


<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy