[ksk-rollover] followup of DNSSEC Workshop at ICANN64

Erwin Lansing erwin at dk-hostmaster.dk
Fri Mar 22 08:34:22 UTC 2019

Thanks again for a yet another great DNSSEC workshop in Kobe!

Let me chime in and recap what I said at the meeting.  I’m for regular rolling of the root KSK. Less than 5 years, which is too long to keep institutional and operational memory, but no more than every year, which would just be too much churn.  Since we’re not in any hurry, I would use some time to look more into the strange increases we’ve seen, but it is not something that keeps me up at night.

With regards to online standby keys, it needs to be seen in a holistic way. What threats or scenarios are those keys trying to mitigate?  Do they actually provide the security we think they do? E.g. if the active and standby keys are generated in the same HSM, it is no protection from an HSM compromise. What new vulnerabilities do published standby keys pose? With all the lessons learned since 2010, let’s go back to defining the problem we’re trying to solve, rather than having standby keys as a solution looking for a problem.

Med venlig hilsen / Best regards

Erwin Lansing
Head of Security & Chief Technologist

[cid:image001.png at 01D407D6.ABC8B400][cid:image008.png at 01D407D6.CD80C0B0]<https://www.facebook.com/dkhostmaster><https://www.facebook.com/dkhostmaster><https://www.facebook.com/dkhostmaster><https://www.facebook.com/dkhostmaster><https://www.facebook.com/dkhostmaster><https://www.facebook.com/dkhostmaster> <https://www.facebook.com/dkhostmaster> [cid:image009.png at 01D407D6.CD80C0B0] <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as>  <https://www.linkedin.com/company/dk-hostmaster-as>

<http://www.internetdagen.dk/>DK Hostmaster A/S • Ørestads Boulevard 108, 11. sal • 2300 København S
+45 2980 9214 •  erwin at dk-hostmaster.dk • www.dk<http://www.dk>-hostmaster.dk<http://hostmaster.dk>
[cid:image007.png at 01D407D6.ABC8B400]

This is an email from DK Hostmaster A/S. This message may contain confidential information and is intended solely for the use of the intended addressee. If you are not the intended addressee, please notify the sender immediately and delete this e-mail from your system.

On 21 Mar 2019, at 14.42, Jacques Latour <Jacques.Latour at cira.ca<mailto:Jacques.Latour at cira.ca>> wrote:

As I also stated in the DNSSEC workshop, I support a regular root KSK rollover, annually but not longer than two years, we need to develop muscle memory to rollover the key.  Also, if the removal of the old key tomorrow is non eventful then I think it would be worthwhile to roll the key in 6 months while our memory is still fresh, this may force the one who manually update to use automated mechanisms.

As for the unexpected increased DNSKEY query results, as I said, it looks very interesting but if there were real users or applications problems behind it then they would be been fix by now, and in my view the increase is probably not end-user / application impacting.  Just plain old hardcoding ;-)


-----Original Message-----
From: ksk-rollover <ksk-rollover-bounces at icann.org<mailto:ksk-rollover-bounces at icann.org>> On Behalf Of Yoshiro
Sent: March 13, 2019 5:33 PM
To: ksk-rollover at icann.org<mailto:ksk-rollover at icann.org>
Subject: [ksk-rollover] followup of DNSSEC Workshop at ICANN64

Hi all,

During DNSSEC Workshop at ICANN64, there were discussion regarding future
KSK rollover.


This is followup what I said.

I support regular Root Zone KSK Rollover for operational maturity and DNS
software matulity.
The importance is doing regulary.  Frequency may be once per 2-3 years, less
than 5 years.

Yoshiro YONEYA

ksk-rollover mailing list
ksk-rollover at icann.org
ksk-rollover mailing list
ksk-rollover at icann.org<mailto:ksk-rollover at icann.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190322/ceaba053/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3132 bytes
Desc: image001.png
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190322/ceaba053/image001-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 880 bytes
Desc: image008.png
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190322/ceaba053/image008-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image009.png
Type: image/png
Size: 1123 bytes
Desc: image009.png
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190322/ceaba053/image009-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 453 bytes
Desc: image007.png
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190322/ceaba053/image007-0001.png>

More information about the ksk-rollover mailing list