[ksk-rollover] ceremonies in April, and managing things less critical and the KSK.

S Moonesamy sm+icann at elandsys.com
Sat Apr 4 20:53:11 UTC 2020

Hi Michael,
At 12:54 PM 04-04-2020, Michael Richardson wrote:
>I was locating appropriate references for explaining Key signing ceremonies,
>and noticed the report of the safe problems at:

KSK Ceremony was held on February 15, 2020.  There was an 
announcement at 

>and then the schedule at:
>     https://www.iana.org/dnssec/ceremonies
>in which April 23 is the next date.
>Will travel bans cause a problem?  I kinda hope the travel bans are enforced.

I'll leave the above to PTI.

>     "Introduce HSM6E"
>Does this mean that a new HSM device will be added?
>I see RRSIG from keyid 20326 (current root) will expire 20200422000000.
>Maybe there is another RRSIG hidden away that I can't see?

The last SKR expires on July 7, 2020 at 00:00 (UTC).

>I am unclear from reading things over again how the ZSK gets to the ceremony.
>Is a new ZSK keypair generated during the KSK, or is it generated elsewhere
>and only the public part brought?

Verisign generates a Key Signing Request.  There is a sets of signed 
keys which are generated during a KSK Ceremony.

>But, I started re-reading things because I was looking for pointers to
>documents *less* secure practices for CA key management.  That's poor
>let me try again: Practices for lower value assets than the KSK.

There may be some old documentation (it is around a decade ago) which 
might be of help to the alternatives which were considered.  The 
requirements for the Root Zone are unique.  I suggest assessing which 
of them you works for your case.

S. Moonesamy 

More information about the ksk-rollover mailing list