[ksk-rollover] (Un)planning future KSK replacements
Fred Baker
fred at isc.org
Fri Mar 29 11:36:55 UTC 2019
From my perspective, we need the rolls in order to counter potential compromises of the root key. One of the characteristics of a successful compromise of the root key is that we don't know it happened. Hence, waiting until we know it happened to roll it is a matter of waiting for the horses to leave the proverbial barn before closing the barn door. Apologies if that's an Americanism...
If we follow that logic to its conclusion, if we roll the key at all, ever, we need to roll it periodically - and there is no last roll, because the threat never goes away. The issue is the interval, not the requirement for doing so. As to what period - I have previously said on this list that quarterly or annually seems reasonable from my perspective, based on the level of effort ISC put into the key roll. Again, the argument for more frequently than once per century is that the more frequently it rolls the greater the probability that (1) people will not be surprised that it does and (2) the process is automated to make it painless, or as painless as it can be.
One comment that was made earlier is that care needed to be taken around some folks that compile the key into their software. From my perspective, it makes sense to compile a reference key that can be used to validate a new key downloaded in a DNSKEY record. Apart from that, I have a hard time imagining why one would compile a key into the software - because it makes rolling the key that much harder.
> On Mar 29, 2019, at 9:58 AM, Phil Regnauld <regnauld at nsrc.org> wrote:
>
> Carlos M. Martinez (carlosm3011) writes:
>>
>> Should the rolls continue forever ? Maybe not, but I definitely see a need
>> for them in the next 4-5 years.
>
> Why shouldn't the rolls continue forever ? What's the argument for
> not doing so ? Exception situations that don't get tested are almost
> certain to fail in one way or another. By making the exception the
> normal course of operations, it's part of daily operations, and it
> stops being an issue.
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190329/7d074fd8/signature-0001.asc>
More information about the ksk-rollover
mailing list