Which is fine. Not because KSK rollover is supposedly complicated, but if you can't manage to keep your private keys and PKI safe in the first place then key rotation is just a security circus trick. But if you do know how to keep them safe, then...

▲

Avamander 3 hours ago | parent [-]

It is not fine. Keeping key material safe is not a boolean between "permanently safe" and "leaks immediately".

Keeping key material secure for more than a decade while it's in active use is vastly more complex than keeping it secure for a month, until it rotates.

For all we know, some ex-employee might be walking around with that KSK, theoretically being able to use it for god knows what for an another decade.

	▲	cyberax 21 minutes ago \| parent [-]
		> Keeping key material secure for more than a decade while it's in active use is vastly more complex than keeping it secure for a month, until it rotates. Nope. Key material rotation is just circus when it's done for the sake of rotation. > For all we know, some ex-employee might be walking around with that KSK, theoretically being able to use it for god knows what for an another decade. Or maybe an employee has compromised the new key that is going to be rotated in, while the old key is securely rooted in an HSM?