[ksk-rollover] Suggested update to the key ceremonies.

Sameka McNeil - NOAA Federal sameka.s.mcneil at noaa.gov
Thu Feb 15 13:51:10 UTC 2018

Hello All,

I will apologize upfront.  I am trying to follow all the threads to keep
up.  I want to make sure the key beginning with "AwEAAaz/"  and ending with
"UTV74bU="  is the new KSK key that need to be in place for rollover.

The last question has made me feel there is a new key being generated.  Is
this the case?  Again, I do apologize if am off but I want to make sure I
have the correct key in place.

Thank you clearing this up for me.

On Wed, Feb 14, 2018 at 4:37 PM, Andres Pavez <andres.pavez at iana.org> wrote:

> Hi Warren,
> Thanks for your suggestion, it is something that we may considering
> including in the script section relating to key generation.
> Anyway, the current software that is used to generate keys (kskgen) ensure
> the use of a unique random label of the newly generated key.
> https://github.com/iana-org/dnssec-keytools/blob/master/kskgen/kskgen.c
> Thanks,
> --
> Andres Pavez
> Cryptographic Key Manager
> On 2/14/18, 12:41, "ksk-rollover on behalf of Warren Kumari" <
> ksk-rollover-bounces at icann.org on behalf of warren at kumari.net> wrote:
>     Apologies if this isn't the right place to propose this - the
>     ksk-ceremony list didn't feel right...
>     I think that it would be a useful addition to the script to ensure
>     that, when a new KSK is generated, it does not have the same Key ID as
>     any previous KSKs. It is *does* have the same Key ID, it should be
>     discarded and a new one generated.
>     Rational: If we end up with multiple keys with the same Key ID it
>     becomes very tricky to run things like RFC8145, KSK Sentinel, etc.
>     Also, when doing troubleshooting / diagnostics, the key ID is an easy
>     thing to use to differentiate keys.
>     This has long been source of low level concern for me, and I've been
>     assured that if there were collisions during the ceremony, the right
>     thing would likely happen -- but I think that this is worth explicitly
>     noting what happens.
>     I *did* look at the scripts, and didn't see a note on this; 'pologies
>     if it is already covered and I missed it.
>     W
>     --
>     I don't think the execution is relevant when it was obviously a bad
>     idea in the first place.
>     This is like putting rabid weasels in your pants, and later expressing
>     regret at having chosen those particular rabid weasels and that pair
>     of pants.
>        ---maf
>     _______________________________________________
>     ksk-rollover mailing list
>     ksk-rollover at icann.org
>     https://mm.icann.org/mailman/listinfo/ksk-rollover
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover


Sameka S. McNeil
Information Technology Specialist
Phone: 301.628.5644

Cell: 202.360.9428
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180215/fc228f3e/attachment.html>

More information about the ksk-rollover mailing list