[ksk-rollover] followup of DNSSEC Workshop at ICANN64

Michael Richardson mcr+ietf at sandelman.ca
Sun Mar 17 20:24:50 UTC 2019

Dave Lawrence <tale at dd.org> wrote:
    > Michael Richardson writes:
    >> It seems that these issues exist if there are *any* keys generated
    >> before use, independantly of the number of keys.

    > Yes, exactly, which makes me scratch my head every time someone
    > proposes a list of pre-generated keys as the solution to this
    > problem.

Interesting that we agree on a core assumption and then come to opposite
conclusions :-)

    > It seems to me that what such a list gets you is lead time on cracking
    > future keys, or more things that end up useless in the event some
    > aspect of the whole process is found to have been faulty.  This in
    > exchange for the busywork of changing the current key more frequently
    > without adding any real additional security in the process.

I could live with a KSK being in use for a long period of time.
But, I don't buy the lead time argument.
If any of the N keys are vulnerable to brute force attack in the planned use
of period, then all the keys are vulnerable to an adversary with 1/N more
resources.  Do you agree with this?

Brute force is not the only attack: there are possible "Mission
Impossible"-like exfiltration attacks against the HSM(s). Do these attacks
depend upon how many keys there are?  I don't think so.

Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190317/78c12103/signature.asc>

More information about the ksk-rollover mailing list