[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Joe Abley jabley at hopcount.ca
Sun Sep 21 15:41:47 UTC 2014

On 21 Sep 2014, at 1:39, Tomofumi Okubo <tomofumi.okubo at gmail.com> wrote:

> Thanks for your reply.
>> On Sep 20, 2014, at 17:58, David Conrad <david.conrad at icann.org> wrote:
>> Actually, I don’t think we’ve started the discussion on changing the key as yet :).
> My bad. I thought it did seeing the lively discussion on the list :-)
>> Is there a need to have a different set of policies/processes for an emergency roll vs. a planned roll?
> In general, planned operation and emergency (disaster recovery) do
> have different set of policies and processes but I believe we can come
> up with something all-in-one.

One way that an emergency roll is different from a planned roll is that a planned roll can make use of existing non-compromised KSKs and their corresponding trust anchors, whereas an emergency roll (where the emergency is a consequence of a key compromise) might not have that luxury.

Making the procedures essentially the same might benefit from a standby key whose trust anchor is published long in advance, and whose risk profile of compromise is usefully different from that of the active KSK.

Having such a standby key available (e.g. as recommended in RFC 5011, and by Mike StJohns in the past) would help align the two procedures, although an approach for mitigating the compromise of both active and standby keys would still be required for the general case of emergency roll due to compromise.


More information about the ksk-rollover mailing list