[ksk-rollover] root zone KSK rollover operations workshop planning

S Moonesamy sm+icann at elandsys.com
Thu Sep 18 21:08:05 UTC 2014

Hi Mike,

Section 6.5 of the Root Zone DPS [1] states that a key rollover will 
be scheduled on or after five years.

At 08:58 18-09-2014, Michael StJohns wrote:
>So a good place to start IMHO is NIST SP800-57 Part 1, Rev 3, 
>Section 5.3.4 Cryptoperiods for Asymmetric Keys.
>Other places to look are:
>  a) What is the expected EOL of the hardware currently used for root signing?

That would be at least five years.

>     i) Is there a transition plan for transition to new hardware?

In my opinion that was to be covered by the key rollover.

>b) What affect on the overall security of the system does transition 
>of personnel have?  E.g. replacement of ICANN personnel involved 
>with the KSK, replacement of community representatives?  Are there 
>exploitable attack surfaces?

I'll skip this one.

>e) Can any of the above be mitigated through a single KSK rollover? 
>Through regularly scheduled KSK rollovers?

I am one of the Crypto Officers (West Coast).

The key rollover process has never been exercised.  The logistics is 
non-trivial.  I raised the question of a KSK rollover previously with 
ICANN as there isn't any operational experience for some parts of the DPS.

S. Moonesamy

1. https://www.iana.org/dnssec/icann-dps.txt  

More information about the ksk-rollover mailing list