[ksk-rollover] followup of DNSSEC Workshop at ICANN64
Michael Richardson
mcr+ietf at sandelman.ca
Fri Mar 15 23:30:58 UTC 2019
>>> If keys are generated a few years in advance of going into active
>>> use, there is plenty of time for them to be disseminated
>>> beforehand. They do not have to be pre-published in the zone
>>> (although that is what RFC 5011 was designed for); they can be
>>> distributed out of band by software updates or other means. If
>>> there are annual rollovers with keys generated N years in advance,
>>> at any time there will be N pre-published keys one of which might
>>> be pre-published in the zone, one active KSK in production, and
>>> maybe one in retirement.
On 3/14/19 12:38 PM, Michael Richardson wrote:
>> Yes, I'd like to do that. I'd like N=10, and the roll-over frequency
>> to be yearly.
Keith Mitchell <keith at dns-oarc.net> wrote:
> The problem with generating that many keys out into the future is they
> then become hostages to fortune should any issues arise during that
> time-span with the integrity of those keys. e.g. a breach which causes
> the private keys to be disclosed, flaws being discovered in the
> algorithm in use, or the processes used to generate the keys, etc.
> Which would likely mean a complete reset for new keys to be generated,
> and a very large pile of baked-in pre-disseminated keys needing revoked.
It seems that these issues exist if there are *any* keys generated before
use, independantly of the number of keys. Based upon my reading of the spec
sheet of the HSM that ICANN uses, it can store ~1K key pairs, so it's not
like we need two devices for 10 vs 5 keys.
--
Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190315/c4978c14/signature.asc>
More information about the ksk-rollover
mailing list