[ksk-change] [ksk-rollover] root zone KSK rollover operations workshop planning

Tomofumi Okubo tomofumi.okubo at gmail.com
Fri Sep 19 18:46:12 UTC 2014


In my personal opinion, KSK rollover falls under two categories.

One is when the key is compromised in any way (physically or
logically) and the other is when it is operationally better to rotate
the key.
The former is emergency roll and the latter is planned roll.

The rollover we are discussing now falls under the latter. It's
something like a disaster recovery exercise (not testing on production
:-)) so that we can confirm that we can roll the key in case of
emergency without major hiccups.
Right now, we don't know that as we've never done it.

It will be irresponsible for us engineers not to roll the key and
defer the issues to the next generation.
On the other hand, if we do this right, people will trust DNSSEC even more.

Just my two cents.


On Fri, Sep 19, 2014 at 10:28 AM, David Conrad <david.conrad at icann.org> wrote:
> Paul,
> On Sep 19, 2014, at 10:06 AM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
>>> I’m not sure arguing the semantics of the terminology used in the name of this mailing list is a good use of time.
>> I am. If as you say below, "everything that could impact changing the key and/or the implications of changing the key should be in scope", then simply calling the workshop as being about "KSK change" that would be a lot clearer.
> While I’m all in favor of clarity, given the challenges I had in arranging for the workshop to be held in LA, I am somewhat reticent to change anything, including even the title in the agenda (particularly since an announcement has already gone out). I will, however, keep this in mind for future workshops (I anticipate these workshops will be a feature for upcoming meetings until they are no longer necessary/useful).
> With regards to the mailing list, I’ve changed the subject string (and mailing list short and long descriptions) to reference ‘change’ as opposed to ‘rollover’.  I hope this suffices (creating mailing lists at ICANN requires a bit of work and I’d prefer not having to change the mailing list name).
>> And, given that, I propose that there be a major topic on changing the signing algorithm to elliptic curve with 256-bit keys.
> Personally, I’m quite interested in this particular topic (and, in fact (teaser :)), hope there will be some data presented during the workshop related to this).
> Regards,
> -drc
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

More information about the ksk-rollover mailing list