[ksk-rollover] [Ext] Re: Starting discussion on acceptable criteria for proceeding with the root KSK roll
Jakob Schlyter
jakob at kirei.se
Tue Jan 9 07:35:33 UTC 2018
On 2018-01-09 at 01:33, David Conrad wrote:
> Mike,
>
> On January 7, 2018 at 12:53:15 PM, Michael StJohns
> (msj at nthpermutation.com<mailto:msj at nthpermutation.com>) wrote:
>> If they key gets lost or compromised, my understanding is that we
>> cannot use RFC 5011 to do the roll and must fall back to doing an
>> out-of-band key rollover. We aren’t really exercising this under
>> this iteration of the community defined KSK rollover plan.
>
> Um. No.
>
> As currently operationally practiced, I believe my statement is
> correct.
Your statement is correct.
Adding has an emergency rollover key (as described by Mike) has been
considered several times over the years, but has been rejected every
time due to how the primary key is protected and maintained. No failure
scenario has been identified where it wouldn't be possible to recover
from a failure and still maintain public transparency. An emergency
rollover key does not help us in the current design nor does it make the
current key rollover easier.
jakob
More information about the ksk-rollover
mailing list