[ksk-rollover] Suggested update to the key ceremonies.

Warren Kumari warren at kumari.net
Thu Feb 15 16:04:09 UTC 2018


On Thu, Feb 15, 2018 at 8:51 AM, Sameka McNeil - NOAA Federal
<sameka.s.mcneil at noaa.gov> wrote:
> Hello All,
>
> I will apologize upfront.  I am trying to follow all the threads to keep up.
> I want to make sure the key beginning with "AwEAAaz/"  and ending with
> "UTV74bU="  is the new KSK key that need to be in place for rollover.

Yup, the new key is:

. 172800 IN DNSKEY 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
) ; KSK; alg = RSASHA256; key id = 20326

If you don't believe me (and you really shouldn't), here is how you can check:
0: Fetch the keys from root-servers: dig +multiline . DNSKEY
@b.root-servers.net (a.root-servers.net, c.root-servers.net, etc).

1: Go to: https://www.iana.org/dnssec/files , and then
http://data.iana.org/root-anchors/root-anchors.xml
1.1: Check that the SSL cert for www.iana.org seems correct (exercise
for the reader!)
1.2: This contains the DS records for the above key - many things will
convert the key into a DS, if you are lazy,
https://filippo.io/dnskey-to-ds/ works.
1.3: Also have a look at the pretty picture at:
https://www.iana.org/reports/2017/root-ksk-2017.pdf - hopefully you
somehow recognize a signature :-)

2: Use the tool at: https://github.com/iana-org/get-trust-anchor

3: There are also detached CMS signatures (root-anchors.p7s), but I've
not managed to find the right set of invocations to make openssl do
anything with this -- clue appreciated.




>
> The last question has made me feel there is a new key being generated.  Is
> this the case?  Again, I do apologize if am off but I want to make sure I
> have the correct key in place.
>

At some time in the distant future there will (hopefully) be a new new
KSK generated, but not for this particular roll.
W

> Thank you clearing this up for me.
>
>
>
> On Wed, Feb 14, 2018 at 4:37 PM, Andres Pavez <andres.pavez at iana.org> wrote:
>>
>> Hi Warren,
>> Thanks for your suggestion, it is something that we may considering
>> including in the script section relating to key generation.
>>
>> Anyway, the current software that is used to generate keys (kskgen) ensure
>> the use of a unique random label of the newly generated key.
>>
>> https://github.com/iana-org/dnssec-keytools/blob/master/kskgen/kskgen.c
>>
>> Thanks,
>> --
>> Andres Pavez
>> Cryptographic Key Manager
>>
>> On 2/14/18, 12:41, "ksk-rollover on behalf of Warren Kumari"
>> <ksk-rollover-bounces at icann.org on behalf of warren at kumari.net> wrote:
>>
>>     Apologies if this isn't the right place to propose this - the
>>     ksk-ceremony list didn't feel right...
>>
>>     I think that it would be a useful addition to the script to ensure
>>     that, when a new KSK is generated, it does not have the same Key ID as
>>     any previous KSKs. It is *does* have the same Key ID, it should be
>>     discarded and a new one generated.
>>
>>     Rational: If we end up with multiple keys with the same Key ID it
>>     becomes very tricky to run things like RFC8145, KSK Sentinel, etc.
>>     Also, when doing troubleshooting / diagnostics, the key ID is an easy
>>     thing to use to differentiate keys.
>>
>>     This has long been source of low level concern for me, and I've been
>>     assured that if there were collisions during the ceremony, the right
>>     thing would likely happen -- but I think that this is worth explicitly
>>     noting what happens.
>>
>>     I *did* look at the scripts, and didn't see a note on this; 'pologies
>>     if it is already covered and I missed it.
>>
>>     W
>>     --
>>     I don't think the execution is relevant when it was obviously a bad
>>     idea in the first place.
>>     This is like putting rabid weasels in your pants, and later expressing
>>     regret at having chosen those particular rabid weasels and that pair
>>     of pants.
>>        ---maf
>>     _______________________________________________
>>     ksk-rollover mailing list
>>     ksk-rollover at icann.org
>>     https://mm.icann.org/mailman/listinfo/ksk-rollover
>>
>>
>> _______________________________________________
>> ksk-rollover mailing list
>> ksk-rollover at icann.org
>> https://mm.icann.org/mailman/listinfo/ksk-rollover
>>
>
>
>
> --
>
> Sameka S. McNeil
> Information Technology Specialist
> Phone: 301.628.5644
> Cell: 202.360.9428
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf


More information about the ksk-rollover mailing list