Basically, as I read it: a decision to do periodic, routine rollovers to “keep the system exercised” and make sure that validators handle rollovers correctly. In the same spirit as actually doing a restore from your backups every now and then: it sucks to find out that the system doesn’t work in any emergency.
The previous key was from 2017, and the set before that from 2010 — 7 years between events is awfully long. They’re targeting 3 years from now on.
Does anyone know which software will/won’t automatically trust the new root anchor?
A quick search indicates systemd-resolverd (https://www.freedesktop.org/software/systemd/man/latest/dnssec-trust-anchors.d.html#Positive%20Trust%20Anchors), powerdns recursor (https://doc.powerdns.com/recursor/dnssec.html#trust-anchors) and dnsmasq may not support it.
Unbound, bind & knot resolvers do.
any information about the reason for this change?
https://www.icann.org/en/system/files/files/proposal-future-rz-ksk-rollovers-01nov19-en.pdf
Basically, as I read it: a decision to do periodic, routine rollovers to “keep the system exercised” and make sure that validators handle rollovers correctly. In the same spirit as actually doing a restore from your backups every now and then: it sucks to find out that the system doesn’t work in any emergency.
The previous key was from 2017, and the set before that from 2010 — 7 years between events is awfully long. They’re targeting 3 years from now on.
I was exhausted when I wrote this.