[ksk-rollover] ICANN board meeting result and the Current status of KSK-Rollover

Dmitry Burkov dvburk at gmail.com
Tue Sep 18 16:21:24 UTC 2018

I absolutely agree with you

On 9/18/18 6:37 PM, Paul Wouters wrote:
> Sorry you are right.
> Reread it as “minimize people with access to the most top level key as much as possible”.
> Sent from my phone
>> On Sep 18, 2018, at 11:18, Dmitry Burkov <dvburk at gmail.com> wrote:
>> Paul,
>> not sure that I understood you.
>> I told about the case when we will have one key - but you again mentioned KSK and ZSK
>> Or - please - correct the terminology for this case
>> Dima
>>> On 9/18/18 5:22 PM, Paul Wouters wrote:
>>>> On Tue, 18 Sep 2018, Dmitry Burkov wrote:
>>>> Do we really still need spliting KSK/ZSK?
>>> Yes we do. The number of KSK private key access should be kept at a
>>> minimum and all of them audited. If you remove the split, any operations
>>> person can create secret ZSKs to be used in targeted attacks. It might
>>> be very unlikely but I think we need the insurance.
>>>> On 9/18/18 3:46 PM, Lars-Johan Liman wrote:
>>>>>   I think we should set an "intense" schedule (twice per year? once per
>>>>>   year?) _beforehand_, to send the message that "there is no relief after
>>>>>   this, there is only more pain ahead ... unless you automate!" to the DNS
>>>>>   software community. There must be no way to hardcode the KSK in code.
>>>>>   This will continue to be this painful until that message is received and
>>>>>   understood.
>>> I agree doing this annually would prevent hardcoding in software. I
>>> think that is a great discussion to start a week after this roll :)
>>> Paul

More information about the ksk-rollover mailing list