> -----Original Message----- > The story that I keep on hearing is that even the most experienced engineers > have issues with understanding the configuration of the KSK and Zone signing > keys and the key rollover, inconsistencies in documentation and therefore > lack of adoption, because in case of a mistake this might seriously impact the > production environment. I can confirm (from the RIPE meeting where they have a DNS WG) that these concerns are widespread. DNSSEC is brittle and key rollover is a very complicated. One thing I heard (do not know this deeply) is that a lot about DNSSEC key management depends on the registrar and every registrar does it differently.