[ksk-rollover] ceremonies in April, and managing things less critical and the KSK.
S Moonesamy
sm+icann at elandsys.com
Sat Apr 4 20:53:11 UTC 2020
Hi Michael,
At 12:54 PM 04-04-2020, Michael Richardson wrote:
>I was locating appropriate references for explaining Key signing ceremonies,
>and noticed the report of the safe problems at:
KSK Ceremony was held on February 15, 2020. There was an
announcement at
https://mm.icann.org/pipermail/root-dnssec-announce/2020/000125.html
>and then the schedule at:
> https://www.iana.org/dnssec/ceremonies
>
>in which April 23 is the next date.
>Will travel bans cause a problem? I kinda hope the travel bans are enforced.
I'll leave the above to PTI.
> "Introduce HSM6E"
>Does this mean that a new HSM device will be added?
>I see RRSIG from keyid 20326 (current root) will expire 20200422000000.
>Maybe there is another RRSIG hidden away that I can't see?
The last SKR expires on July 7, 2020 at 00:00 (UTC).
>https://www.iana.org/dnssec/icann-dps.txt
>I am unclear from reading things over again how the ZSK gets to the ceremony.
>Is a new ZSK keypair generated during the KSK, or is it generated elsewhere
>and only the public part brought?
Verisign generates a Key Signing Request. There is a sets of signed
keys which are generated during a KSK Ceremony.
>But, I started re-reading things because I was looking for pointers to
>documents *less* secure practices for CA key management. That's poor
>wording.
>let me try again: Practices for lower value assets than the KSK.
There may be some old documentation (it is around a decade ago) which
might be of help to the alternatives which were considered. The
requirements for the Root Zone are unique. I suggest assessing which
of them you works for your case.
Regards,
S. Moonesamy
More information about the ksk-rollover
mailing list