[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Michael StJohns msj at nthpermutation.com
Sun Sep 21 19:33:14 UTC 2014


On 9/21/2014 3:17 PM, Paul Hoffman wrote:
> On Sep 21, 2014, at 8:41 AM, Joe Abley <jabley at hopcount.ca> wrote:
>
>> One way that an emergency roll is different from a planned roll is that a planned roll can make use of existing non-compromised KSKs and their corresponding trust anchors, whereas an emergency roll (where the emergency is a consequence of a key compromise) might not have that luxury.
> Just a placeholder here, but one that some people care about:
>
> A planned rollover could turn into an emergency rollover during the ceremony if it is discovered that the signing hardware for the current key (or all the current keys, if there are more than one) cannot be used.

I had to read this a few times to get what I think you meant. 
Specifically, if a) a signature is expiring over one of the groups of 
keys in the trust chain, and b) the hardware breaks so that the 
signature will expire before you can do the resigning, then c) it's an 
emergency.

I'm stating it that way because keys don't actually have a defined EOL, 
so whether we're in an emergency situation or not is tied to signature 
expiration rather than the time you're trying to do the re-sign.  In the 
above scenario you have the time between your attempt and the signature 
expiration to recover the keys and complete the signature.  It's an 
internally triggered event that if completed successfully, has no 
external implications.

If you're unable to resign the root DNSKEY RRSet in time with one of the 
keys in the root trust anchor set, then its not actually an emergency 
rollover (keys aren't compromised, no one else can use them for faking 
data in the zone), but a failure of process.  The question is then how 
do you recover/reboot your trust anchor set so you can reestablish a 
chain of trust.

I think they're two very different things to consider.

Mike





>
> You can't tell if signing hardware that is not being used (because it purposely offline, maybe in a safe) will be usable until you try.
>
> --Paul Hoffman
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover



More information about the ksk-rollover mailing list