[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

S Moonesamy sm+icann at elandsys.com
Mon Sep 22 06:37:24 UTC 2014

Hi Tomofumi,
At 21:41 21-09-2014, Tomofumi Okubo wrote:
>CAs deal with these risks by establishing and implementing rigorous
>security controls around key management and undergo third party audits
>to verify that the controls remain effective and are actually
>followed. This is kind of funny but they also transfer this risk by
>buying insurance but I'm not sure this helps. Certainly not applicable
>to us.
>I think the huge difference between the CA business and Root DNSSEC is
>that there is no going out-of-business for Root DNSSEC. It doesn't
>matter how ugly it gets, we have no option but to recover and keep on
>providing the service at all costs.

Thanks for the above explanation.  It seems that the CA business is 
being conflated with Root DNSSEC.

There is supposed to be redundancy as part of the DNSSEC practice to 
reduce the risks.  The HSMs are offline.  The risk there is physical 
access [1].  An emergency roll-over could, in simple terms, be when a 
private key is lost or compromised.  A planned roll-over reduces the 
likelihood of that happening.  The reluctance to do that planned 
roll-over is probably because:

   (a) It has never been done before.

   (b) There will be an operational impact.

It is difficult to assess (b) because of (a).  What there is now is 
"the root key" [2].  It is not a good idea, in my opinion, to have 
"the root key"[3].

S. Moonesamy

1. I'll skip a discussion of that.
2. Credits to Michael StJohns
3. I am aware that it is a shared key. 

More information about the ksk-rollover mailing list