[ksk-rollover] Why keep old private keys?
rsalz at akamai.com
Wed Apr 3 14:59:33 UTC 2019
What is the point of keeping old keys around? So we can sign “something” in case an old DNS server gets turned back on? What is the downside? Leaving old key material around that could be stolen. (Is someone going to count the HSM’s every time a safe is opened, for example?)
We’re trading ease of resurrecting old machines against the security of the DNSSEC world.
Like Mike said: DO NOT KEEP OLD KEYS. If you think you’ll need something signed, then sign the new key and then destroy the HSM.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ksk-rollover