[ksk-rollover] Future rollover planning opportunities

Paul Wouters paul at nohats.ca
Thu Feb 21 03:52:54 UTC 2019


On Wed, 20 Feb 2019, Michael Richardson wrote:

> Paul Wouters <paul at nohats.ca> wrote:
>    > That makes monitoring and transparency recoding of private key usage
>    > much harder.  It also raises the possibly abuse of any DNSSEC key to the
>    > weakest key escrow method, and will surely raise lots of red flags with
>    > people who already don't trust this system.
>
> yeah, so the idea is not that it be a free-for-all, but that we might have
> many more keys maintained by perhaps just one additional entity.

That was discussed in the past too, eg by the Root Key rollover design
team. The issue with that is that it most likely means that if one key
cannot be used anymore for reason X, most likely the whole set cannot
be used anymore for the same reason. Eg if there is an issue with a RNG,
or with the HSM security, etc.

Paul


More information about the ksk-rollover mailing list