[ksk-change] Keeping two KSK keys long term

Joe Abley jabley at hopcount.ca
Thu Oct 2 15:41:54 UTC 2014

On 1 Oct 2014, at 17:15, Jakob Schlyter <jakob at kirei.se> wrote:

> On 1 okt 2014, at 23:00, Michael StJohns <msj at nthpermutation.com> wrote:
>> Having two keys - in the trust anchor set -  should be the minimum steady state.  It means that you can compromise one of them and still recover without needing to do a full trust reboot.
> That only makes sense if you maintain and protect the keys separately, something that comes with a considerable cost. We did considering this when the current Root DNSSEC was engineered, and IIRC the cost/benefit analysis did not justify such a scheme.

I think it's still worth considering, though. It seems possible that we discounted the possibility of secure storage of multiple sets of keys with different threat models too early because we assumed it would require double the facility cost.

For example, a standby key could be stored in key shares across the existing two facilities such that the threat model is usefully different to the production key (e.g. such that you'd need to attack both facilities to recover the standby key, whereas you only need to attack a single facility to compromise the production key).


More information about the ksk-rollover mailing list