[ksk-rollover] Suggested update to the key ceremonies.

Benno Overeinder benno at NLnetLabs.nl
Thu Feb 15 12:28:05 UTC 2018

On 15/02/2018 01:36, Geoff Huston wrote:
>> On 15 Feb 2018, at 8:35 am, Paul Hoffman <paul.hoffman at icann.org> wrote:
>> On Feb 14, 2018, at 12:40 PM, Warren Kumari <warren at kumari.net> wrote:
>>> I think that it would be a useful addition to the script to ensure
>>> that, when a new KSK is generated, it does not have the same Key ID as
>>> any previous KSKs. If is *does* have the same Key ID, it should be
>>> discarded and a new one generated.
>> As someone who has to write tools to deal with ICANN's trust anchors, I give this proposal two thumbs up. 
> Warren has done well to point this out, and yes, its a small but important aspect of the key generation process

I raised the issue of keyid collission also once at the mic, and from
what I remember someone (from ICANN?) mentioned that at any time a (new)
unique keyid will be generated.

But I fully agree it is important to explicitly mention this in the key
generation procedure (ceremony/protocol).


-- Benno

Benno J. Overeinder
NLnet Labs

More information about the ksk-rollover mailing list