[ksk-rollover] followup of DNSSEC Workshop at ICANN64
S Moonesamy
sm+icann at elandsys.com
Sat Mar 16 23:34:51 UTC 2019
Hello,
At 03:16 PM 16-03-2019, Dave Lawrence wrote:
>It seems to me that what such a list gets you is lead time on cracking
>future keys, or more things that end up useless in the event some
>aspect of the whole process is found to have been faulty. This in
>exchange for the busywork of changing the current key more frequently
>without adding any real additional security in the process.
The first "trust anchor" was in use for around 10 years. Although it
has not caused any security issue, it is better to have "key
rotation". There have been discussions in DNSOP and in other venues
about "cracking keys" but they were not about the KSK "private key".
The current design was not driven by technical limitations of the
HSMs used to store the cryptographic material. Having more "keys"
might require changes to the design. That would open up an
additional set of issues to consider.
Regards,
S. Moonesamy
More information about the ksk-rollover
mailing list