[ksk-rollover] followup of DNSSEC Workshop at ICANN64

S Moonesamy sm+icann at elandsys.com
Sat Mar 16 23:34:51 UTC 2019

At 03:16 PM 16-03-2019, Dave Lawrence wrote:
>It seems to me that what such a list gets you is lead time on cracking
>future keys, or more things that end up useless in the event some
>aspect of the whole process is found to have been faulty.  This in
>exchange for the busywork of changing the current key more frequently
>without adding any real additional security in the process.

The first "trust anchor" was in use for around 10 years.  Although it 
has not caused any security issue, it is better to have "key 
rotation".  There have been discussions in DNSOP and in other venues 
about "cracking keys" but they were not about the KSK "private key".

The current design was not driven by technical limitations of the 
HSMs used to store the cryptographic material.  Having more "keys" 
might require changes to the design.  That would open up an 
additional set of issues to consider.

S. Moonesamy

More information about the ksk-rollover mailing list