[ksk-rollover] followup of DNSSEC Workshop at ICANN64

Michael Richardson mcr+ietf at sandelman.ca
Fri Mar 22 11:22:36 UTC 2019

Erwin Lansing via ksk-rollover <ksk-rollover at icann.org> wrote:
    > With regards to online standby keys, it needs to be seen in a holistic
    > way.  What threats or scenarios are those keys trying to mitigate?  Do
    > they actually provide the security we think they do? E.g. if the active
    > and standby keys are generated in the same HSM, it is no protection
    > from an HSM compromise. What new vulnerabilities do published standby
    > keys pose? With all the lessons learned since 2010, let’s go back to
    > defining the problem we’re trying to solve, rather than having standby
    > keys as a solution looking for a problem.

Pre-published keys let us embed anchors into devices/firmware that might sit
on shelves/in boxes for a few years.  It also lets us install operating
systems that are not the most recent (a Long-Term-Support) in order to
reproduce systems that in production.

Of course, we want to update these things with patches, but that requires
DNS, and if we are going to take the view that DNSSEC should always be on,
then we need it to be on during patching.

That's the problem statement.
(and... there are solutions other than pre-published keys.)

Michael Richardson <mcr+IETF at sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190322/ff99f4d7/signature.asc>

More information about the ksk-rollover mailing list