[ksk-rollover] ICANN board meeting result and the Current status of KSK-Rollover
Carlos M. Martinez
carlosm3011 at gmail.com
Tue Sep 18 14:24:58 UTC 2018
+1 to both of Paul’s points.
1- splitting the keys is good
2- rolling (semi)anually seems a good thing too, prevents people from
becoming complacent
On 18 Sep 2018, at 11:22, Paul Wouters wrote:
> On Tue, 18 Sep 2018, Dmitry Burkov wrote:
>
>> Do we really still need spliting KSK/ZSK?
>
> Yes we do. The number of KSK private key access should be kept at a
> minimum and all of them audited. If you remove the split, any
> operations
> person can create secret ZSKs to be used in targeted attacks. It might
> be very unlikely but I think we need the insurance.
>
>> On 9/18/18 3:46 PM, Lars-Johan Liman wrote:
>
>>> I think we should set an "intense" schedule (twice per year? once
>>> per
>>> year?) _beforehand_, to send the message that "there is no relief
>>> after
>>> this, there is only more pain ahead ... unless you automate!" to
>>> the DNS
>>> software community. There must be no way to hardcode the KSK in
>>> code.
>>> This will continue to be this painful until that message is
>>> received and
>>> understood.
>
> I agree doing this annually would prevent hardcoding in software. I
> think that is a great discussion to start a week after this roll :)
>
> Paul
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
More information about the ksk-rollover
mailing list